New IE Flaw Spoofs URLs

A series of HTML-based exploits allow a malicious HTML programmer to direct a user to a different Web site than the one indicated in the user's browser status line. Two separate but similar issues affect Internet Explorer. The first, reported by Benjamin Franz of Germany on the Bugtraq mailing list, involves an improper mixture of anchor and table tags, with links to two different sites.
On fully-patched Windows systems prior to Windows XP SP2, users hovering over the link will see one URL in the status bar, but when they click on the link, they will be taken to a different address. On Windows XP SP2, clicking on the link brings the user to the same address indicated in the status line. Users hovering just below the link will see the second address, but clicking in this area does not change the browser location.
The second report, also reported on Bugtraq, is by the well-known malware researcher http-equiv. The effect is similar to the first, but the bug works on fully-patched Windows XP SP2 systems. The technique involves the mixture of an empty anchor tag and a form tag with both an action statement indicating one address and an input tag with the type of submit and a value of the other address, all in the presence of a base href tag indicating the second address."