Slashdot Mirror
New IE Bug Hides Real Site Address
Norman at Davis writes "ZDNet is running a story on a new security flaw in Microsoft's Internet Explorer which could let hackers use a technique to display a false Web address on a fake site according to an advisory from the Danish security company Secunia. The Danes report that 'the vulnerability is caused due to an input validation error, which can be exploited by including the "%01" URL encoded representation after the username and right before the "@" character in an URL.' PC World reports that 'Microsoft says it is investigating reports of the vulnerability. When that inquiry is complete, the company will take whatever steps it deems necessary, such as issuing a new patch, a spokesperson says.' And for good measure, here's what Google news is covering on it right now."
for paypal where there are so many redirect scams.
"It's so convenient to have a system where everyone is a criminal" - A. Hitler
Nice. Wonder if they're going to break their word again and distribute yet another patch during december.
Still this seems like a major flaw - For the last 3 months I've been recommending to all my friends and family to start using Mozilla. Not saying it's perfect but there's a lot less flaws than IE.
tom-george.comBecause geeks rate higher t
http://www.zapthedingbat.com/security/ex01/vun1.ht m
http://www.microsoft.com/ie_advisory@%01goatse.cx
All that bizarre crap on the SCO website must actually be The Onion playing games...?
Is pretty compelling (spoofs Microsoft.com):
t m
http://www.zapthedingbat.com/security/ex01/vun1.h
There is no bug, and there will be no patches in December! We will reveal the vulnerabilities of the infidels and they shall tower over our own!
I don't really get them sometimes, honestly. Is this sort of like their being a SARS outbreak in New York and the CDC saying that they won't look into it for a month?
Click here [ZapTheDingBat.com] to see an example of how it is done...
Opera and Mozilla (at least firebird) handles it properly :-)
Why not just pull IE from the market altogether and tell everybody to download Mozilla and get on with their lives?
Not only would all the IE security problems be gone (in favor of Mozilla security problems, granted, but I suspect those would be more tractable), but we'd also finally have everybody using a browser that actually supported web standards! (Yeah, IE is pretty close nowadays, but I found out recently that simple Java 1.4 applet embedding just won't work from IE if you use the basic codetype="application/java" standard, even if you've downoaded Java 1.4, whereas it does work from Mozilla.)
-Rob
'Microsoft says it is investigating reports of the vulnerability. When that inquiry is complete, the company will take whatever steps it deems necessary, such as issuing a new patch
lets just hope they release the patch on purpose this time
wud
Secunia rated the vulnerability as "moderately critical."
How long will it be before someone finds a "critically critical" uber-flaw.
$ strings FTP.EXE | grep Copyright
@(#) Copyright (c) 1983 The Regents of the University of California.
No bug in my box from some reason. It works fine on my version IE 6.0 on Windows 2000.
I've found that people are more likely to encounter these sort of things via e-mail, and that they lend themselves quite easily to fraud/theft. Hopefully, Microsoft will release a patch for this even though it's December, because this will no doubt find its way into (illegitimate) spammers' arsenals.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
Where it hides IE, and downloads Mozilla or Firebird as a replacement...
of a number of severe security issues in IE. The fact is IE6 is abandonware beyond trivial patching, issue that require more substantial reworking will not be addresses until Longhorn is released with the new verison of IE.
One need only look at the state of IE to see Microsoft does not give a stuff about it anymore it lacks features and usability and has been left behind by Firebird in the usability stakes. The sole reason IE is still needed by some is because of ActiveX and stupid sites that use it *cough*bbc news*cough*.
Just after I had a lecture for my parents / friends on how to validate URLs, some shit like this comes up. Using Microsoft products is like fighting windmills all the time. Lucky for me, I have ended all friend-support for anyone not using Linux or MacOS.
Is why I never use IE unless I absolutly have to.
On my computer, IE doesn't even have access to get through Zonealarm.
Technoli
It doesn't have the IE bug but on the other hand, I can see how a careless or inexperienced user could assume they were at the correct site. At least with Firebird you get a fair chance to double-check though.
In God We Trust, Others We Monitor
I think the nature of humans to run on autopilot, and that will pull more people in than anything else. A correct-looking url will just add a few more to the gullible.
My boss in 2001 was a pretty cluey guy most of the time. Into his mailbox came one of the eBay scams. "Re-enter your username and password etc and we'll have your records up to date, otherwise your eBay account will be deleted". Partway through doing this he got a bit confused by the process, and I picked up immediately it's not an ebay address. I pointed that out to him. the email's fake. a scammer looking for a way to make a quick scam using his ebay account.
What's he do? goes straight to the main eBay site and starts looking for the equivalent page - he was still on the track of "Must update my ebay account details". It didn't even enter his head that the scam was a COMPLETE scam. half an hour later he's asking again whether or not maybe he should use the URL in the email because he didn't want to lose his eBay account.
A fake URL might catch a few more, but it's peoples attitude, trust of random emails, and acting on autopilot regarding emails that come into their mailbox that catches more than anything else IMHO
Strangely IE 5.2 on OS X.2 is seemingly immune. Wouldn't the two logically use similar codebases and thus be vulnerable to the same attacks?
I used to get high on life, but I developed a tolerance. Now I need something stronger.
... after all, friends don't let friends use Microsoft :-)
"'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
- JRR Tolkien.
...like this:
http://feisar.de/stuff/safersurf.jpg
click on the test button on this page.... it's quite scary.
;)
Of course, you have to use Internet Explorer to see it.
Internet Explorer is usually found under C:\Program Files\Internet Explorer
Opera (7.23) is not vulnerable to this.
Microsoft is blaming the person who found the bug, rather than themselves. Attacking the messenger seems to be their standard approach to security.
Look at my karma - I'm bad, just like Michael Jackson!
No. You are. I won't sharecrop for Chairman Bill. Nor during this holiday season will I do any free work for him either.
The least we could have gotten from the guilty verdict from anti-trust trial + appeal would be the unbundling of MSIE. That way OEMs could install a more useful, less troublesome, more secure tool like Mozilla or Opera. Or if users had to decide on a browser there'd be a higher probability of choosing one based on technical merits.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Comment removed based on user account deletion
They have an example and a bunch of IE users going "woah" in the comment section that a bug is in the holy microsoft code.
http://www.dslreports.com/shownews/36359
http://www.microsoft.com/ie_advisory%01@goatse.cx
As bad as this may seem, perhaps it will push users into other browsers. Microsoft has already said that future IE versions will only be available through an OS upgrade. Perhaps the less enlightened will become enlightened when they find that IE X.X is no longer supported and [insert vulnerablity here] can only be fixed with an OS upgrade because you can't just get an IE upgrade. Maybe then, the less enlightened will just get another browser and then be enlightened.
When I tell an object to delete this, am I killing it or telling it to kill me?
The people who patch immediately are basically immune to this anyway - we're not idiots. We know there is no time that PayPal would send us an email even directing us to their site to ask for a password. It's the people that need auto-update every damn day that will fall prey to this.
Sure, most of us patch/encourage updates of those around us, but even that might take some time. There will still easily be weeks of January where "Verify your PayPal account for free Valentine's chocolates sent to your significant other" emails will be rampant.
I like the idea of more predictability to patches, but I don't think it's feasible for reasons like this. The only way to predict when a patch will be needed is to set a schedule for their issue, and then immediately after that all the security problems will be exploited that have been found. i.e. in January serious problems found in December will come out and we'll have hell from then in January. Come the patch for January, all the problems found in January will crawl out, and we'll have hell again.
This will continue, ad extremum nauseum.
Enough ranting, I'll propose a solution. Windows is shipped with an auto-update immediately feature for home users who wouldn't dream of making a configuration change. Then there is a monthly patch that rolls everything together, and Update can be set to use that instead for appropriate machines that are administrated appropriately with users aware of issues. Or perhaps security issues are patched immediately and the latest WMP functionality gets put in the same patch with all the driver updates, etc. that can seriously wait a couple of weeks instead of everyone having to reboot their machines an extra half dozen times a month. There - that's two ideas off the top of my head that I would take over our current state of affairs in a heartbeat.
The only thing more dangerous than a file named -rf is renaming it -rf\ /
Internet Explorer 6... browser of choice for easy hacking targets everywhere.
My copy of Mozilla 1.6BETA displays it properly. The page has the full, malformed url on the top.
IE is supposed to TRUNCATE the malformed part, only displaying the first, misleading bit.
No it doesn't. The exploit page linked to in the article displays the full URL with Mozilla 1.5 on my Linux system:
r it y/ex01/vun2.htm
http://www.microsoft.com@zapthedingbat.com/secu
Comment removed based on user account deletion
I tried the 'expoit' on IE 6 (build 6.0.3790.0 w2k3) and it simply doesn't work.
No it doesn't (Opera 7.23 is fine) ...and the parent is not informative.
Incorrect. Although they all will take you to the latter site, only IE will -hide- the actual URL.
Microsoft update routinely resets "program access and defaults." Most annoying, but not what this note is about.
/.: have others had problems with Netscape/Mozilla profiles disappearing, and do they appear to be correlated with Microsoft Updates?
On three occasions, with two different users, I have observed that Netscape/Mozilla profiles have disappeared following Microsoft update. Just a concidence? Perhaps, but after the third occurrence I have become suspicious.
Because Microsoft update is an opaque process, there's no way I can even attempt to 'reproduce the problem' as I would normally do in similar circumstances.
So I'll ask
Doesn't affect either my Opera or latest Mozilla beta......
The great unwashed hordes that while away their days on IRC will be protected from this new method of tubgirl trickery!
I can create a web page that opens a window with NO menu at the top, buttons, or address bar (pop-ups do this all the time). And then I can have that web page CONTAIN a substitute menu, buttons, and address bar. In that fake address bar, I can write "www.microsoft.com", just like the sample demonstration. Simple exploit. May fool some people. May get them to enter their credit card info.
Better yet... imagine this.... set up a whole www.ammazon.com (sic) site that looks like amazon.com, by retrieving amazon's pages in real time. Then collect credit card info, and never ship the merchandise. It could "look" like amazon, and you'd never notice that you accidentally had a typo when you misspelled "ammazon"! Because "amazon" is in the address bar!
Or have I just revealed YET ANOTHER bug that Microsoft needs to fix?
What I want to know is, just how badly does the regular computer-using public need to get battered, by security holes and other exploits in IE, before they finally just ditch the damn thing?
I installed Firebird for a co-worker the other day. While I was doing this I explained that they should turn on the pop-up blocker. They were astounded that this feature existed at all. I find this is a very common reaction (which, in turn, astounds me... lot of astounding going on).
I'm sure this sentiment has been posted 56739285679 times before but really.. with the next version of IE coming out with Longhorn, god knows when, are people really going to put up with several security advisories every single month for the indefinite future?
(I'm sure if I showed that same co-worker Safari or Konqueror they'd lose their shit completely. I'm not that cruel - they're stuck on Windows.)
If Jesus wants me it knows where to find me.
Microsoft, unlike Linux presents an easy user friendly interface to keep all these bad things at bay...
e ID/41138/W indows_41138.html
Another Way to Approach IE Security
http://www.winnetmag.com/Article/Articl
"The My Computer zone isn't listed when you view zone security in IE--you must edit the registry to adjust its security. However, be aware that when doing so, you could make mistakes that cause problems on the desktop and might even prevent the system from booting. You can find a detailed explanation of IE's security zone settings and how to edit them in the registry in the Microsoft article "Description of Internet Explorer Security Zones Registry Entries" ( http://support.microsoft.com/?kbid=182569 ).
I think Larholm's approach makes good sense. You might consider trying it, but instead of manually adjusting the My Computer registry settings, you might consider using a utility to help automate the tasks to reduce your chances of error. PivX is beta testing a new utility called Qwik-Fix, which automates registry adjustments and strengthens the security of other subsystems, settings, and software such as remote procedure call (RPC)/Distributed COM (DCOM), MIME types, Windows Messenger, and Adobe streams. You can learn more about it at the URL below. "
Windows rules!
Yet again the grand tradition of
So
Happy
It's
Thursday
is upheld by Microsoft security bugs.
And of course, now that Microsoft is releasing patches on Tuesday, we also have
So
Happy
It's
Tuesday
as well.
Kudos to Microsoft!
www.eFax.com are spammers
Personally I think this is one of the worst security holes I've seen in ages. Why? - very easy to do and very useful if you're trying to do something fraudulent. I don't understand why they rated this "moderately critical" - personally I think it should be rated "super critical with mayo and large fries and a banana shake (with chocolate sprinklings)"
Please people, keep in mind that there are also people who actually like patching!!
For more info see: http://www.lastanzadeglihobby.it/patchwork.htm (excellent cursor b.t.w.)
I want my karma, and I want it now!
Comment removed based on user account deletion
security issues in other browsers? IE may have its problems but it is the most powerful and standards compliant browser available at the moment. Mozilla may be an alternative one day but not at the moment.
How did you come up with that deduction? IE6 is the only f'd up browser I tested. All other browsers display the proper URL.
Here is IE with closed source and no matter what, it is always the worse nightmare for security out of all browsers, of which almost all they others are OSS.
Lets hope that in about 3-4 years from now, longhorn will have been decently designed to do thing right.
At least I've been having more success pushing alternatives to MS when scary MS articles come out.
I find giving people the link (or installing it myself) to the Firebird installer and showing them how multiple homepages, pop-up blocking, and tabs work usually wows them.
I'd much rather field some tech support questions about Moz than deal with a frantic relative or friend telling me how all the money in their bank account was stolen by "internet theives."
Paypal et al should be pushing for more secure browsers on their site. I don't see how this could be a business conflict with MS. Paypal has a lot to gain by simply suggesting there are more secure browsers out there.
Heck, the only time I use IE, is to check the MS site for updates. Otherwise, I use Mozilla, Opera, or Firebird
Comment removed based on user account deletion
Mozilla 1.5 W2K shows the full URL with the %01 (doesn't convert it), but did anyone notice that the text on the test page is in a REALLY tiny font? It seems that Mozilla renders the font size incorrectly if you put a space between the number and the 'pt' (style="font:8 pt verdana" instead of style="font:8pt verdana")
Do you really believe that the same stupid coding error would appear in three different implementations by three different organisations? It's not a flaw in the HTTP protocol's GET request method, it's a flaw in Microsoft's URL handler.
zWhat would an EWOULDBLOCK block, if an EWOULDBLOCK could block would? -- me
>>Malicious hackers frequently lure victims to >>convincing replicas of e-commerce sites such as >>eBay
... hacking pr0n sites.
...h tml
... you lied to meee.... those hurd guys are not "real" hackers, their terminals are not green like, they don't know kung-fu!!, wtf is going on???
... neo is bussy developing the Matrix-exec-server to run on top of Mach ..., so in the meanwhile you can get a dose of reality and stop writing about jaquers that use win3.1
O, of course, that's the principal interest of "Malicious Hackers". I know them. They are so bad. They really scare me, with the jaquer things they do : ). Off course, they are all over I.E (they use it to browse their p0rn "hacked" sites.) That's the other thing "jaquers" are good for
Do you want hackers?, you won't find them there
You can find them here, for example: http://www.cs.pdx.edu/~trent/gnu/hurd/hurd-paper.
Heeeeeyyy
Well
WTF am I doing replying to an AC at 5 A.M on a Friday night?
It would be possible (trivial?) to put a feature in our favourite open source browser to give a security warning when you visit such a URL. Just something that tells you about the possibility that you're at a site different to the one you think you're at. It would just need to ensure that the actual domain is made obvious. eg.
You would just need to search for 'www.' or one of the TLDs in the part of the URL before the @ sign.
Why is anything anything?
A similar phishing exploit can be done using chrome-free windows (see earlier story) with the IE toolbar, address bar and even the little SSL padlock inserted as a GIF (just cut and paste from a screen dump of the real site). So the victim's screen looks exactly like www.fatcatbank.com when it's really at www.russianmafiaownzj00.ru. Mousing over the address bar would give the game away with this simple example, but it's not impossible to use HTML forms to make an address bar that works.
When I am king, you will be first against the wall.
This is maybe happening to me. This week, after visiting some adult sites, I noticed that the sponsored links section in google now took up an entire page. There was also a pop-up. ...
<P>
I figured that if google was doing crap like that, there would have been something in the news. I ran my virus checker and my spyware cleaners, found a few things, removed them, and then went back to google. The same thing was happening.
<P>
It is a clever trick. The page looks exactly like google and, when you choose the other search pages (2 and above) searches work. However, the selection for 1 no longer links to anything. When you go to other googles overseas or use the direct IP address, google works correctly. On other PC's on my network, google works correctly.
<P>
The bogus sponsored links are either to 216.221.138.95 or to something called searchassistant.net. The pop-up that comes up is linked to epsilon.searchassistant.net. Linking to searchassistant.net brings up a page claiming to be under construction and offering a link to uninstall searchassistant spyware. I haven't tried that because I have work stuff to do on this PC and don't have time to reintall Windows or something if that blasts me with more crud.
<P>
I dug around through the registry and the C drive and found several odd keys and files referring to google and searchassistant. I removed all I could find without any effect. I'm not an expert so I must have missed stuff. There is also a strange application that keeps appearing on my C drive called msdos.exe. It is not DOS and always restores when I remove it.
<P>
These people are scum and should be abused and sanctioned. It is one thing to hit people with popups and another to present fake web-sites. Also, I never allowed anything to download and I know I didn't make a mistake. I'm not THAT much of a newbie. These people are basically virus writers. Also, if you are adult site surfing, never ever go to p***y.com. This is the site that infected my PC with this searchassistant crap.
<P>
As I said, I'm not an expert, basically a normal user with enough know-how to be dangerous. If anything I wrote is obvious or stupid, then I apologize
Now go away, you are taking up the space of the Microsoft apologists and I can use a good laugh.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
It would be possible (trivial?) to put a feature in our favourite open source browser to give a security warning when you visit such a URL.
Why would you do that, since only IE is affected. It would be like Open Office popping up a window saying: "If this were MS Office you'd be infected by a VBR virus." While I agree that such a site would be suspicious, such a feature would add no functionality to the browser.
I bought it. Still waiting for the goddamn confirmation mail. I expect better service than this for $49.99, let me tell you.
for paypal where there are so many redirect scams.
:-)
Yeah, for some reason I was reluctant to reenter my credit card information when I noticed the IP traffic going to identitytheft.com. Of course, running mozilla helps one notice such things.
Glad to see Microsoft supporting the largest growing industry in America, on-line or otherwise, so proactively (identitytheft). It is about time one of the large corporate players started playing a proactive role in our recovery (NOT).
The Future of Human Evolution: Autonomy
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Very few are trying to break Opera or Mozilla with the same Oedipal fervor directed against Bill Gates and M$.
As an analogy, 9/11 did not prove the inherent weakness of US skyscrapers vs. those in Afghanistan (if they have any).
My windows XP checks for updates everytime I reboot. I do not switch off the machine and XP being stable, I boot less frequently. I have to manually download all these patches. What about people who are not aware of them? "Stable windows" can cause problems too. How ironic!
Opera does this. If you try to go to a link with an '@' in it it brings up a 'Security Warning' dialog box that tells you 'you are about to go to an address containing a username' and asks if you want to continue. It's done this for a while I believe.
Suck figs.
not just IE6!
IE5.5, IE6, firebird0.61....
those berating ms should set about fixing it in their beloved OSS browser first. interesting to see whose fix comes out first.
La via sola al paradiso incommincia nel inferno
I remember when you could %hexhex encode the @ in the url!
p d which would naturally take you to the home page of the Apache web server... It was a fun prank and worked through IE 5.5 to my knowledge. It was extremely useful for pranks of all kinds, though I am sure that there were a number of nefarious uses as well.
So I would do things like http://www.microsoft.com%40www%2eapache%2eorg/htt
LedgerSMB: Open source Accounting/ERP
Call me paranoid, but I think that I am going to refrain from following any links in this slashdot discussion until I can get back home to my home computer (and more specifically my copy of Safari...)
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
Even if it's hidden in the address bar, you can do File > Properties to see the full URL.
And no, this bug won't work on slashdot since slashdot removes the username parts of a URL, and also removes the DOS smileyface character from posts.
Only IE doesn't show the rest of the address in this specific case, but all browsers have the problem of displaying 'http://www.ebay.com/index.html@myspamdomain.com'. In this case the user should be alerted, at least the first time, that the site may be trying to fool them. The fact that the whole URL is shown doesn't help most people. Heck most people don't even notice the address bar.
From other comments in this thread, and from the second comment on my post, it appears Opera already implements this. I think Firebird should too. I may even file a bug report (RFE) if there isn't one already. (Can anyone tell me the exact text of the Opera message?)
Why is anything anything?
It makes it www.microsoft.com. Try it. Very uncool to be able to do this. I think they should have put up something like:
Suddenly everything sucks
Causing Chaos Everywhere,
Nik J.
The strange world of a loner, in a populous city, drowning in society
Comment removed based on user account deletion
There will be no bug fixes as this is not a bug.
It was intentional, deliberate and works the way its supposed to.
This from the same morally bankrupt bunch that brought you the argument: "Guns,don't kill people. People kill people." and "We don't know for a fact that cigarettes cause cancer." and "If we charge for collapsible steering columns, people won't want to pay for 'em."
Nothing like blaming the victim.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
I use Opera and this does not fool it. In fact it shows a warning that the URL contains a username.
Well, if you put it like that, I see your point. It can be confusing.
I *HAVE* seen spams like that.
http://www.yahoo.com@xj.es?a=b&c=d&r=b
etc. etc.
From a quick glance, something like that DOES look like a normal URL. I've seen it before and I have on doubt I'll see it again.
(the above domain is a sample, not an actual one I saw).
Bryan
More goatsex links...
I'd imagine that a fix for this would be easy; the code for null-handling (%00) could be extended to handle "Start of Heading" (%01). In pseudocode, change:
if char = 0 then
'something
end if
To:
if char = 0 or char = 1 then
'something
end if
maybe they should port IE/mac over to Windows :) It would save them all this trouble with patching the buggy old Windows version.
The only way to actually get fooled into going to such a site is by clicking on a compromised link. For any site that contains personal information, I like most people either go to the site from our bookmarks or by typing the URL. I have never gone to my bank account or eBay or any other shopping page by clicking on a URL on someone's web page or an email that someone sent. I'm pretty sure there will be people that will get fooled by this, but then again chances are that these same people would go to a malformed URL (fakeurl@realurl) regardless of them using Mozilla or IE. Besides the most recent "spoof" of fake sites actually redirected you to the actual site (real URL) while poping up an "Enter your info" window sans address bar from the fake site.
"Very few are trying to break Opera or Mozilla with the same Oedipal fervor directed against Bill Gates and M$."
And the evidence for this is [insert evidence here].
[Note that this was discovered by security researchers - do those researchers really show an 'Oedipal ferver against Bill Gates and MS'?]
Actually, I think Finuvir was referring to the general use of '@' in a URL, rather than the use of unescaped %01.
Seems like a damn fine idea to me. If all browsers already had this functionality, It would have prevented this from happening.
From now on this is the link I give my friends to download IE from: http://www.microsoft.com/internetexplorer/%01@mozi lla.org
Does IE know its being tricked, or does it know the real site and just display the wrong one?
:/
I'm wondering if some shady types could use this exploit to get your cookies for any site of their choosing.. that just might be a slight problem
yeeeeesh.
Comment removed based on user account deletion
It's the same feeling I had a few months ago when the batch of RPC vulnerabilities was annouced.
At least I'm coming up on a nice long holidy for christmas. Fixing the soon-to-be-'sploited machines won't be a concern until after the new year.
There are some people that if they don't know, you can't tell 'em.
URL encoding uses %xx to denote a hex character.
%01 is ASCII 0x1 or SOH (start of header)
Maybe that's how SOH should be interpreted? If other browsers aren't doing this then maybe they aren't processing other %xx characters properly.
...but then, I'm using Safari on a Mac. :-)
--R.J.
Electric-Escape.net
This is not a biggie as it will not work from most email clients (Outlook Express/Outlook included) as they don't allow javascript to execute. This will only work from a webpage as demonstrated.
I don't want free as in beer. I just want free beer.
If MS browser actually displays everything on the address bar without filtering of any sort, problem would not have existed.
Just another example of a solution that solves a problem that doesn't exist and creates security holes.
Imagine the havoc someone could create if they circulated links to fake press releases to venture captialists, or stock holders. Personally, I'd get creative and incorporate zero frame and Iframe for that hyper-real look.
This kind of thing could be way bigger than the "smash-and-grab" steal your credit card/password stuff.
And checking past a NUL character in a C string isn't really safe.
6.0.2800.1106 Win2K sp4 on my machine _is_ vulnerable
That's a feature I'd enjoy possibly with an odometer counter showing how many exploits I've personally missed out on by using open office.
Degaussing scares the bad magnetism out of the monitor and fills it with good karma.
Confirmed on my machine as well. I just tested Win IE, Mac IE, Win Mozilla, and Mac Mozilla; the only one affected is Win IE.
- First they ignore you, then they laugh at you, then ???, then profit.
When it comes to security, there is no one in Redmond that can even spell the word! Once you understand that all the problems are easy to understand.
Professional Politicians are not the solution, they ARE the problem.
Moz developers have thrown the idea around, but they don't like popping up dialog boxes because apparently users find them annoying. Or so they say.
why isnt this installer the most prominent thing on Mozilla's frontpage ? does anyone even understand marketing at Mozilla and the skill level of the average win32 user ?
"hey lets give the general public compressed zipfiles and let them figure it out and where to install it"
if developers want mozilla/phoenix to be popular they gotta make it really really easy to get installed by the average joe, they dont even know what a "zip" file is let alone extract and install it,create shortcuts etc etc they just want it easy
they could add an installer for Linux too so i can download a package, doubleclick it and it installed, no tar gz extracting and compiling so i have to have 5 copies of it over my drive just to install it
i know mozilla's developers are clever with code but when it comes to marketing and joe user usability it seems they even lack common sense
This isn't as bad. You have to go to the attacker's website first for this to work. It doesn't work as a direct link from an email client because it needs to exceute javascript.
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
this in fact is not true. as posted above, normal people will see the ebay.com or microsoft.com part of the URL and think it is legit (on ANY browser). so in fact a url parsing, username and @ symbol check would be a great security feature, and probably take about 3 lines of code to do it. not than I can code for shit. also, I believe Opera already has this security feature.
webpagesthatsuck.com has a demonstration of this exploit already in action.
The probability that someone is watching you is directly proportional to the stupidity of your actions.
Just tested that!
I have XP Pro running ie 6.0.2800.x.x, and it properly displays the site name, even though the redirect works. In other words, the malicious site in the link does come up, but it comes up with the actual URL in the address bar...not the fake.
I do have KPF 4.0.7 installed...wonder if that has something to do with it...
I tried the heise site using IE5.5.4807.xx and Mozilla 1.5 Both went to the Heise fake page. BUT mozilla displayed the correct url [http://www.microsoft.com%01@www.heise.de/security /] in the title bar. IE displayed Microsoft.com
Geccie
This article at securityfocus says IE 6 and possibly earlier versions of IE. No Mozilla, Netscape, Opera, Links, Safari, Konq, Firebird, etc.
A great many people think they are thinking when they are merely rearranging their prejudices. -- William James
The problem is that it looks like it affects them all.
That is not the case, if it was, it would be a design flaw in html. This is just a case of different handling of an error condition.
I saw a post somewhere that said that the vulnerability works with either a ascii 1 or an ascii 0 character before the "@".
Here are 2 exploit pages that I just created, that just have a link to http://slashdot.org @goatse.cx.
ASCII 0
ASCII 1
(Below are the browsers I just happen to have installed)
IE6 for windows (for sake of having a control):
0 brings you to goatse.cx with http://goatse.cx in the address bar
1 brings you to goatse.cx with http://slashdot.org in the address bar
Opera 7.23 for windows and Opera 7.11 for FreeBSD:
0 brings you to slashdot.org with http://slashdot.org in the address bar
1 brings you to goatse.cx with http://slashdot.org^@goatse.cx/ in the address bar, where ^ is ASCII 1.
Note: Opera brought up a dialog box warning you that the link was to a site with a username in the URL on the ASCII 1 link.
Mozilla Firebird 0.7 for windows and Mozilla 1.5 for Windows:
0 brings you to slashdot.org with http://slashdot.org in the address bar
1 brings you to goatse.cx with http://slashdot.org%01@goatse.cx/ in the address bar
So of the browsers tested, the vulnerability only works in IE, and only for ASCII 1.
Your credit card information wants to be free.
Mmm, Danish.
This comment was generated by a squadron of trained super elite albino ninja chickens for you.
Rub them together to spark a clue: Stop using the browser that Bill Gates himself is using to gather information about your personal life. There are about twelve dozen other, MUCH better browsers to choose from. Don't believe me? Check this out:
Click here for more info
As you'll notice shortly after clicking the link, it's not Micro$oft.com. It's actually www.hoary.org/browse. I even used IE for the first time in months to try this out (didn't work completely; I'd see Page Cannot Be Displayed, but it did mask the real page. That's hella cool, though!).
Also, another way to make a similar "exploit" work in ALL browsers that recognize scripts, you'd make an HTML link like this:
a href="http://www.hoary.org/browse" onmouseover="window.status='http://www.microsoft.
This will make the status bar show http://www.microsoft.com/alternatives/browsers yet take you to http://www.hoary.org/browse. It may not fool the tech-savvy after a while, but it's damn cool!
Galeon 1.3.7 I love not being stuck on Windows anymore.. :o)
Remember, there are no stupid questions. But there are a lot of inquisitive idiots.
- Win IE 6.0
- Mac IE 1.5
- Win Mozilla 1.4.1
- Mac Mozilla 1.4
The only one affected was Win IE.If any Mozilla versions later than 1.4.1 were to be affected, I'm willing to bet the Mozilla release would be patched within a day, whereas Microsoft would take a minimum of two weeks and a max of maybe never.
- First they ignore you, then they laugh at you, then ???, then profit.
Nothing like blaming the victim
Hey dumbass:
The person pulling the trigger is not the victim.
Yes, the following string is filtered out by slashdot, but viewing properties definitely gives the url
r it y/ex01/vun2.htm
http://www.microsoft.com@zapthedingbat.com/secu
with a funny square block thing before the @
I was baffled to discover that my browser (Firebird) supports the @ redirection at all. I've been unable to uncover any W3C or RFC standard that covers it, though presumably one exists. Can somebody point me to it?
Perhaps that would explain why such a silly feature exists at all. It seems to have no other purpose than for spoofing.
At the bottom of the google news link: Get the latest news on internet explorer vulnerability Be careful not to click that link unless you really like google news.
Go to this page for a demonstration without using javascript or a button!
He is correct in part. My older version of Mozilla:
e cu rity/ex01/vun2.htm
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020830
Displays this URL in the test link in the article:
http://www.microsoft.com%01@zapthedingbat.com/s
To a normal user it may look like I am in the microsoft domain. In IE, however, it truncates the ugliness at the end, like so:
http://www.microsoft.com
Which is far more deceptive.
I don't have Mozilla 1.5 on my machine here, but 1.3 is vulnerable to a "%00" before the "@" also. However, Mozilla is not -as- vulnerable as IE.
IE displays href="http://www.yahoo.com%00@www.hotmail.com" as www.yahoo.com when it is actually a link to www.hotmail.com in the status bar at the bottom of the browser and it also shows that link as one to "http://www.yahoo.com" when you view the properties of the link. Unfortunately I can't demonstrate this in this post as I intended as Slashdot reoves everything before the www.hotmail.com.
Mozilla 1.3 also shows the link as being to www.yahoo.com although it is actually to www.hotmail.com, although Mozilla 1.3 DOES correctly show the link properties as "http://www.yahoo.com%00@www.hotmail.com".
Consequently, Mozilla also needs to fix their browser, although only in one of the two ways that IE needs to fix their browser.
a href="http://www.microsoftlovelinux.com@www.slashd ot.org">www.microsoft.com /a
www.microsoft.com
I wonder what impact this will have when this type of url gets submitted
I use IE 6 and Mozilla Firebird.
Firebird is not vulnerable, It passed the test
If you're doing any online purchasing, just make sure you verify the contents with a second browser like mozill and u'll be ok
: )
...folks would have to remember to use it:
:-)
When at a possibly-spoofed site in IE,
1. click in the address bar
2. hit the "End" key, then the space bar
3. click on the "Go" button
Me, I'd rather keep using Firebird
Like it would be so hard for a group with dubious credentials to acquire a cert. Browsers don't prompt usually so long as the cert is up to date, and from an official cert authority.
Who's going to inspect and notice it wasn't issued to the right corporation?
Well, hopefully any paranoid IE user, for now.
-- perl -e'print pack"H*","6e656d6f406d38792e6f7267"'
Should a website name like www.microsoft.com be allowed as a username @ another website like that?
How, exactly would you enforce outlawing it?
Beyond that practicality, while I've never seen the use of @ in web addresses, I will say that I wouldn't want potentially "deceptive" email addresses outlawed.
That's because whenever a web site wants my address I give it its domain-name.tld@my-domain-name.tld. That's how I figure out who's misusing the address I gave them (few do) and how I automatically sort incoming email.
Opinions on the Twiddler2 hand-held keyboard?
Did anyone else hesitate to click the Google news link on this story, in case it was a demonstration of the vulnerability in question?
'Security Warning' dialog box that tells you 'you are about to go to an address containing a username'
I consider myself "clueful", but this actually saved me some embarassment. I clicked a link in Eudora -- looked semi-legit, but was actually a hidden link with text of "ebay.com". Opera displayed the "Security Warning", saving me from giving the bastards a hit that might have confirmed my email address.
However, the warning was pretty cryptic. If I didn't know that the URL format allows "username:password@domain.tld", I probably wouldn't have known what the heck Opera was trying to tell me. The warning is going to have to be pretty severe to undo the scammers' human engineering.
I'd say that only someone who really, really knows what they're doing would even put a username:password in the URL. Along with correcting this NUL-terminated string bug, I'd suggest Microsoft should add (yet another) configuration option:"Allow usernames in URLs". And it should be False by default.
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
The first slash it finds after the two protocol slashes indicate the end of the hostname. That url would simply give you a 404 on ebay.com.
One more trivial tell to drop crap e-mails from my inbox.
If an e-mail contains the characters "%01@" or "%00@" kill it.
I can't think of any reason why those strings of characters would legitimatly found in an e-mail.
This "exploit" has very very few practical applications that would actually fool anybody. No legitimate company sends out an e-mail asking to verify your information by clicking on a link. This doesn't change anything in that area. So instead of telling grandma not to click on links in e-mails that look "suspicious" how about telling her simply to not divulge any information to web-sites that ask for that information through an e-mail.
If PayPal needs to verify your information they ask AFTER you log in. They may send an e-mail saying they need you to log into your account to take care of something.
So for a real world example, if Grandma get's an e-mail from "PayPal" or her "bank" telling her that she needs to validate some information tell her to open her browser and go to her bank's web-site the old fashioned way of typing it in, to log into her account and then see if any notices are there.
If not, the e-mail is a fake. If a notice is there, do what the notice says on the site.
Simple lesson for grandma: Never click on a click from an e-mail to verify information. ALWAYS manually type in the URL for the company you're involved with asking for your information, log in, and THEN look for notices and do what they say. Grandma should already know not to give information to companies she has no knowledge about.
Anyone throwing up their hands about having to reteach grandma, didn't teach grandma properly in the first.
There's a very generic object lesson here that has zero to do trying to see if a URL is being sneaky that you should have taught her years ago when the first "click here to update your info" scams came through.
Ben
Work Safe Porn
It would be possible (trivial?) to put a feature in our favourite open source browser to give a security warning when you visit such a URL
I have Proxomitron, the browser proxy, set up to place a button at the top and bottom of every page; clicking the button closes the browser with a javascript window.close().
The label of the button is the page address (and even in IE, it's the real address, as it's Proxomitron, not IE that's displaying the address), so I essentially have this feature already.
Of course, I could write a Proxomitron filter for some regexp of addresses, or alter the address (I already replace Gopher links, because of an IE exploit), or even suffix each link with a Slashdot-style [domain name in brackets].
Oh, and Proxomitron also wipes out most ads, removes dangerous javascript, gets rid of ActiveX controls and java apps and popups, etc.
Opinions on the Twiddler2 hand-held keyboard?
Firebird 0.7 DOES show the spoofed address in the status bar, but with an odd character after the URL. However, it shows the real, spoofed URL in the address bar.
A link to the google news which links to the slashdot article. Now if only there was a way to make the link so that it took the google news link for slashdot and when you linked on it it took you back to the slashdot article.
Create a local document:
Note that thanks to Slashdot the code is munged. Remember to remove the extra-Slashdot-added spaces.
Open this up in Internet Explorer and you'll see the text, with the "%01" character helpfully encoded into the string for you. Copy this string into another document:
Note that in this example, the encoded "%01" has been stripped out by Slashdot. Your copy & pasted string will include this character (It may appear as an empty "Box" symbol)
Save & open the file in Internet Explorer. Surprise!
But wait! There's more! If the user hovers over the link they'll see a funny looking URL in the status bar. We can fix that, though. Edit your file and add the "%00" to that URL E.g.
Again, the encoded "%01" has been stripped by Slashdot. Ensure that you add the "%00" after the encoded "%01" or this won't work. Now save the file again, and re-open it in IE. Now where does that link go?
Feeling lucky, punk?
At least it's not an outright kernel exploit that caused a Debian network security breach, like with Linux. Also, GNU/FSF, Gentoo, and GNOME.
You can't utilize this exploit with a standard a href. You have to use a button of some type.
It's also a big giant tell for mail server admins for dropping spam as it has no legitimate uses.
The object lesson that's been out ever since such e-mail scams started is: always go to the web-site manually and log into your account before submitting any information.
A legitimate company ALWAYS has you log into your account and ALWAYS posts a notice upon logging in telling you what you need to do. And they NEVER use a button as a link to their site.
Yahoo and Hotmail et could just as well add in a rule to delete any e-mail that contains those escape characters and no one using those services will ever get such an e-mail and never lose a legitimate e-mail from it. I'll be adding that rule to my mail server.
Seriously, I hope every spammer and scammer uses this so I never get a spam e-mail in my inbox again.
Ben
Work Safe Porn
SWEET. Just in time for Christmas.
"I now inform you that you are too far from reality."
To nuke this exploit from links you follow on a website (it won't help if you follow it from an e-mail or paste it into the address box, but if you are duped by that, they you probably aren't reading slashdot) you can ad this rule to the proxomitron (or a similar one to Privoxy, and open source equivilent)
and it will do a nice job of blocking all of these links.
take this example email to a corporate user from a malicious person. the email is a simple example, i'm sure other more complex examples can be created:
s it e.com/username_and_password_verification.html
To: corporate user
From: corporate help desk
Subject: MANDATORY: Username and password verification
Last night, one of our authentication servers went down and we need to rebuild the our database. To make this process easier for us, please use the form below to verify your username and password.
http://our.corporate.intranet%01@www.malicious_
Thank you for your cooperation.
IT Help Desk
===
i can't believe that MS is just considering a patch for this. i would write to your corporate internet security officer and urge this person to take a look at this MS IE vulnerability and also to switch to Mozilla. this could be mozilla's chance.
Why did I lurk so long before registering for a Slashdot account? I could have had a Slashdot ID of less than 100000.
How is this insightful?
Scammers have been using that for a very long time. And it's hardly a bug considering the URL in the address bar shows the www.fsf.org address after you click on the link. The new exploit does exactly the same thing except the URL doesn't show the correct one which is why someone thought it was news.
The reason that feature is there is because IE is also a very slick FTP client.
ftp://username:password@www.somesite.com
and now you can drag and drop files to your hearts content just like it's a regular folder and the url www.somesite.com shows up in the address bar alone so you know where you're at.
Both are equally offensive: not at all.
Don't click on links in e-mails that supposedly take you to verify information. Simple. Always go to the company's site manually and log in and check for notices there. Same as you should have taught grandma years ago.
This is yet another big non-news story of the day.
Ben
Work Safe Porn
Firebird may display the url correctly once you go to the page, but note that when you hover over the link it only displays the first bit of it - www.microsoft.com[%01 character]
It still baffles me that they think a patch "schedule" is a Good Idea. It even harms them from a PR perspective--this is a security flaw NOW, and we probably won't see a fix until 2004. Meanwhile, all other browsers have been immune for a while.
I thought Steve Ballmer said that they could learn things from Free/Open-Source Software! Microsoft's continual failure to make any attempt to embrace strategies for proven superior security and maintenance methods only shows their lack of concern for their product and customers.
That, or they really are as stupid as they look.
Comment removed based on user account deletion
Comment removed based on user account deletion
Don't know why, exactly... but every exploit listed here (on good ol' Slashdot) doesn't affect this system. The URLs match and there's no redirection. Must be one of the previous patches I have on here.
If any of you are so bored as to research (as I am not), here's the patches on this system:
Version: 6.0.2800.1106
Cipher Strength: 128-bit
Update Versions: SP1; Q328389; Q328970; Q324929; Q810847; Q813951; Q813489; Q330994; Q818529; Q822925; Q828750; Q813502; Q827667; Q826940; Q827057; Q824145
Windows 2000 SP4
Someone turns on their laptop, runs their browser, which autoloads a WiFi connection screen. How are they supposed to know the sign-on form they're about to populate with credit card data is from a legitimate link? What if that van parked outside is hijacking service by creating a new access point? Honestly, I don't know how realistic this scenario could be, but if it's possible it can be a big security concern, because:
1) The user is automatically directed to a link, so the default assumption is that it must be safe.
2) The whacker of course can make a clean getaway, without getting detected.
-jc
So the address field would look like:u rity/ex01/vun2.htm
http://www.microsoft.com%01@zapthedingbat.com/sec
And there would be no reason to pop up, which is just plain distracting.
well there goes their xmas present... 30 days without patching hehe
Insert Sig Here
Click Here to Perform Test!
:P
Lets see how slashdot parses this.
Even before this quite alarming security hole in IE was known, I got an email directing me to a fake eBay.com website which had a fake address bar.
It was an HTML email, so the URL shown in the email looked legit at first glance, and it then took me to a webpage which was obviously fake since I was using Moz. However, in IE it would have looked more convincing since it had hidden the real address bar, and then made a fake address bar using javascript and what-not.
This was by far the most convincincing such scam I've received, and I imagine most people using IE could have believed it. Although I doubt many people are insane enough to fill in all their financial details including PIN into a webpage!
So now, all we need a patch to spell / grammar check the page and set the network zone on the status bar to the skull and crossbones when the errors exceed a certain threshold.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Maybe this is a new bug, and maybe it isn't... but nonetheless haven't people been using fake hyperlinks (or just covering them up) for years now?
I say this because every time I've come across a suspicious link (that I catch anyway) I have to right-mouseclick and copy and paste the URL into the Address Bar or Notepad to see if its legit. And surprise, surprise... some of them don't match up to what's displayed in my Status Bar.
Perhaps it is a new IE bug, maybe one that goes as far as preventing you from testing URLs like I do... but in the end isn't this pretty much the same exact trap to the average webuser who doesn't know any better?
in the future, try and make your jokes make sense
Apple's OS/X Safari has this problem too. The preview shows "www.microsoft.com" although it is scrolled vertically 1/2 line so there is some hint that something is wrong. The address bar ends up with %00 like it should.
" as being microsoft. You say ok to add the url to a list that won't pop up again.
:"joke" redirections, though it won't help if the redirector also controls their web site.
After seing Safari screw up, I tried Konqueror, but it seems to work (maybe). It shows "www.microsoft.com@secunia.com/..." in both the preview and in the address bar after you click (ie the %00 seems to have disappeared).
I would agree that this bug is not IE-only. It sounds like Opera is the only one doing the right thing. I would recommend that the browser should popup a warning for any username without a password, or containing a dot or any punctuation mark (to get around really stupid users who may read "http://www_microsoft_com@nasty.site.com/u_r_ownz
Also web sites should reject url's with usernames, rather than accept them by default. This will get rid of
What happened to responsible vulnerability reporting? Advertising the existence of a hole and its rough attributes is one thing. But describing exactly how to exploit the hole -- before giving the vendor a chance to fix it -- is just irresponsible, and may hurt users.
Sadly, very few users. I don't use IE, but I always check. The last time I bumped into this, I emailed the site owner (he has a very well known address), and he replied I was the first person to notice (that he knows of) in the 2 years the site has been up. It's fixed now, so the names match, but this just goes to show, most people don't check.
buymusic.com.
*STILL* doesn't allow non-IE users. Pitiful.
vuln0 goes to Slashdot, with the URL "http://slashdot.org/" displayed in the address bar. Holding the mouse over the link displays "http://slashdot.org/" in the status bar.
vuln1 goes to goatse.cx with the proper URL shown in the address bar ("http://slashdot.org%01@goatse.cx/"). But holding the mouse over the link does not show the address in the status bar. It seems to show the previous status message - once I saw "Transferring data from site...", another time I saw "http://slashdot.org/users.pl".
Microsoft has finally stepped up and issued a Knowledge Base article on the Matrix Rebooting issue.
i crosoft.com%01@www.str8dog.com/matrixkb/');return false;">Matrix Rebooting KB Article</a>
<a href="http://support.microsoft.com/" onclick="location.href=unescape('http://support.m
You can see this spoof actually working by clicking the link in my sig... Might as well have some fun at microsoft's expense right?
Str8Dog
using System.Darkside; public
I just tried it and the URL appears in the address bar as "http://www.microsoft.com%01@zapthedingbat.com/sec urity/ex01/vun2.htm"
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
see this not Yahoo. (Source: Sam Ruby
i'm hearing more and more people saying that m$ is everywhere, but so are m$'s problems, and prices. when mozilla completes their version of m$'s 'lookout!' calendar, and schedular; i will recommend that also.
People writing for sites like eBay and PayPal have a reasonable command of English.
Nobody's going to write a phishing tool for Slashdot accounts, at least not unless someone reads this and decides it's too much of a dare to pass up.
D
Should a website name like www.microsoft.com be allowed as a username @ another website like that?
It's all safe characters according to the RFC's... so yes.
The Tasman engine has already been taken out of one browser (IE/Mac) and embedded into another (MSN/Mac). In the process, they cranked the engine's standards support to the point where it actually manages to kick the crap out of Mozilla and Opera. It even supports the nth-child() pseudoclass and its relatives, something no other browser has but everyone wants.
Unfortunately, because they force you to sign up and pay for MSN before you can even use the browser, almost no one knows this, and even fewer people test in it. I don't use MSN/Mac either. The worst part of this, though, is that Opera and Mozilla don't even seem to realize the catch-up that they now have to play.
But here's the thing: the Tasman engine was originally written to be portable, and there are no signs that this has changed. It is entirely possible that Microsoft could port this to Windows, stick it into Longhorn (which would also explain why there aren't supposed to be any more updates to IE/Win before then: they're retiring the old 'Trident' engine and focusing all their efforts on Tasman), and catch Mozilla and Opera completely off guard.
Hollllly shit. MS needs to patch this like...two weeks ago.
Someone is going to make a lot of money with this. For an example of this in action(harmlessly):
http://crayz.dyndns.org/test.html
For those poor souls who are still using IE, there is an easy way to verify that you are indeed lead to a correct site - just right-click on the page in question and choose properties. URL displayed there is not truncated.
I know it is a pain, but it is much easier than copying URL, restarting IE, and then pasting it back in...
"You mortals are so obtuse." -Q
Microsoft did not set a timetable for its investigation, but said it may eventually release a patch to address the problem. Meanwhile, the company recommended that people follow basic security procedures, including the use of firewalls, software updates and antivirus software.
How many people are going to give their credit card/bank/paypal info to these sites thinking they are safe because they have norton antivirus or zone alarm running. They are basically telling people not to worry when this is a huge security flaw - the only way to be safe is to type the URL in instead of following links.
Secunia rated the vulnerability as "moderately critical."
How the &#$& is something "moderately critical"? That's like "somewhat hideous" or "vaguely humongous."
DrPascal: Not the language, the mathematician.
Click me!
You'll probably see http://slashdot.org/ on the status bar, but when you click the link you'll be directed to http://slashdot.org/%00users.pl
Hands in my pocket
Try the same address on Netscape, and you'll see the whole URL, not just the fake part.
I've been following a discussion of this bug on the Full-Disclosure list for a couple of days now.
An ordinary A HREF hyperlink will work if you use a hex editor to insert an actual 0x01 character before the @. This was posted by "petard" who has a demonstration exploit here: http://petard.freeshell.org/ms-announce.html
~AC@work
I'm pretty sure that I have received PayPal scam in this exact form as long as a few month ago. Yes, with the %01 character before the '@' - as a Safari user i saw that character, and i was always wondering what it was used for.
http://www.fake.com%00@www.realsite.org/
If you do the mouse hover over the link in MOZILLA
it shows http://www.fake.com on the bottom bar,
but when clicked
it shows the whole URL with the %00 in the URL box.
This does not work for %01, the bottom bar shows
a funny character for the %01.
correctly display the address, it first warns me that I am about to visit an address with an username in it. Don't see why IE can't do this.
Way to go, MS.
But, I'm sure the press with report this as a problem with "the web" or "the internet" and that "all web browsers" or even worse that "the web browser" is affected by it.
er or was it...damn i'm using firebird...
In the STATUS BAR (lower left), it shows the false address, but with an additional character after it.
http://petard.freeshell.org/ms-announce.html
(replying to own post) The version of Mac IE that I tested was 5.1, not 1.5. -Sacrilicious
- First they ignore you, then they laugh at you, then ???, then profit.
by the same geniuses who decided that file extensions should be hidden by default in Windows Explorer. Microsoft's design philosophy seems include:
1) Don't let the ignorant users see entire filenames / URLs - it will only confuse them.
2) Obscure things to give a false impression of simplicity.
3) Don't worry that users won't know the true nature of things they are clicking on. Bad guys won't figure this out and abuse it.
That it doesn't fool the security zones in IE. If you have a site in your "Trusted Sites" zone, and you try to spoof that site using the mentioned vulnerability, the Address Bar shows false, but the Zone is not fooled. Thank heavens for small miracles.
Wherever you go, there I am...
"... but we'd also finally have everybody using a browser that actually supported web standards! (Yeah, IE is pretty close nowadays"
No, no it's not. Not even in the same class! It's not Netscape 4, but it sure drags its ass like that horrible melange of shit code.
Do you see rounded corners here? How about the fact that CSS support hasn't been updated it years, specifically it still mainly matches these charts which have in supporting only 80% of CSS1, 10% of CSS2, and none of the proposed CSS 3 standards? In the past 2 years, Mozilla's CSS support has not remained static.
If you do anything more complex than a table layout in IE, it just won't work. How does this look in the latest IE? Not like the reference image, I'm sure.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
Thanks for the example, which is frightening in its clarity. This is a truly serious issue.
The missing foward slash at the end of these fake URLs kind of gives it away. The lack of the slash IS noticeable, especially now that we know to look for it. Is there anyway for it to work WITH a foward slash at the end?
When I click on the links using Slimbrowser , I can see the whole URL. However if I switch tabs it only shows the fake url.
Hey dumbass:
The person pulling the trigger is not the victim.
Exactly, man.
xek @ my homepage http://mega.ist.utl.pt/~jjmam/ IE needed! eheheh >:D
I'm going to change all the users profiles on our network so that their start page is some kind of nasty scat porn site using this special url. Then when everyone starts complaining that the company homepage has been hacked, I'll then proceed to rack up some serious overtime bucks just in time for Christmas. ( This could take a long time to fix !)
Thanks Microsoft!
I have used IE's security settings to prevent malicious web code from killing me.
When I checkout the link that puts the false URL (www.microsoft.com) it wasn't treated as a trusted site, even thought *.micorsoft.com was in the trusted site list. At least this is still working in IE!
Here are two website on how to implement this:
If any one find this to be false I would like to know.
Although the mentioned exploit uses javascript, it is not required. The following exploit using a plain HTML link will also work.
This will make a link that looks like it goes to google, but it goes to elgoog, a google parody, instead. You must replace the brackets in the url with a real, unscaped, literal character 0x01. In other words, the actual html file should contain the bits 00000001 as a character where the brackets are.
<A HREF="http://www.google.com[A REAL UNESCAPED CHARACTER 0x01]%00@www.alltooflat.com/geeky/elgoog/"> Google </A>
Who says MS doesn't release patches faster than Linux?
g /p ub/mozilla.org/firebird/releases/0.7/MozillaFirebi rd-0.7-win32.zip
www.microsoft.com/ie/download%01@ftp.mozilla.or
Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?
I couldn't have found it otherwise.
Download Opera and try it. It explicitly asks you, in a message box:
"You are trying to go to a URL with a username:
username: www.here.com
server: www.there.com
Continue (yes/no)?"
I'm pretty sure neither Mozilla nor Firebird does that, but I really think they should!
hmmm... I already d/l'd a patch for this two days before this article was even written from windows update. What's the dilly y0?
:)
but hey, I could just went to a spoofed windows update site.
Firebird 0.6 is okay
t m
Konquerer 2.2.2 is okay
But hey, look at this:
Internet Explorer 5 (5.00.2314.1003) installed in Linux/Xandros using Crossover 1.3.1 was not fooled either. This maybe is only a problem for windo$e??
I used the test link: http://www.zapthedingbat.com/security/ex01/vun1.h
-Turnip Onion --- Neither micro nor $oft. Linux is a fine tool.
check this posted to Full-Disclosure:
http://petard.freeshell.org/ms-announce.html
(be sure to use IE)
Microsoft Patching Condom - InternetNews.com
Squinting closely at my monitor I see it actually says:
"Microsoft's Patching Conundrum"
I really need to get new glasses.
The whole address is shown.
"hand" yourself, settle down.
I wasn't trolling. I'd misread the details of the exploit. you were right, I was completely wrong, and my original post should be modded down (would do it myself if I could).
mozilla 0.6.1/win2k does NOT truncate the actual domain.
my surprise was that it didn't alert (the way opera reportedly does). but the behavior under discussion was the truncating, which it does not exhibit.
kudos for digging into it to get at the truth.
but not bothering w capitalization is unrelated to trollishness! this was an honest (albeit stupid) mistake.
last point: I AM glad I responded, b/c it led to the truth -- something I value much more than being right.
La via sola al paradiso incommincia nel inferno
I got the (HTML) email below today. The misspell of the word "response" tipped me off that something was awry. Sure enough, it is one of these phantom redirects.
:
y Information
In the case of spams, cutting and pasting the link from the text of the email (instead of just clicking) takes care of the problem -- you can't fake the address that way.
____________________
Dear eBay User,
During our regular udpate and verification of the accounts, we couldn't verify your current information. Either your information has changed or it is incomplete.
As a result, your access to bid or buy on Ebay has been restricted. To start using your eBay account fully, please update and verify your information by clicking below
https://scgi.ebay.com/saw-cgi/eBayISAPI.dll?Verif
Regards,
eBay
**Please Do Not Reply To This E-Mail As You Will Not Receive A Responce**
I call "shenanigans" on this. Under Linux, both Mozilla 1.6a (2003102905) and Mozilla 1.6b (2003120809) show the spoof address correctly:
http://www.microsoft.com%01%00@secunia.com /internet_explorer_address_bar_spoofing_test/
How this idiot got modded up so far I'll never know.
Attack its weak point for massive damage!
That was informative.
Deven
"Simple things should be simple, and complex things should be possible." - Alan Kay
The misspell of the word "response" tipped me off that something was awry.
And it's only later that the creatively-spelled "udpate" sneaks up on you.
Man oh man, these guys are smart enough to find and exploit security holes in Windows. When are they going to learn how to SPELL? Morons...
...Whether my Maker is prepared for the great ordeal of meeting me is another matter.
Churchill
How slashdot handles these bogus urls :)
:wq
If you go into Tools | Internet Options... | General | Accessibility... then enable the Ignore font sizes specified on Web pages checkbox.
Horribly ugly.Copyrights, Patents, Trademarks: temporary loans from the Public Domain, not real property ("intellectual" or otherwise)
https://scgi.ebay.com/saw-cgi/eBayISAPI.dll?Verify Information
<a href="http://www.msn.com%00@www.google.co m" >fake msn</a>
I thought this test would work on slashdot, but I guess i am wrong, using %00 works for the exploit as well
Try it on your own
Im a gamer, not a grammer major. This post is full of spelling and grammer mistakes.
IE bug exploit link demo page with some promo for alternatives
VIVA1023.com | Political Fashion.
this has your idea beat a bit ;)
AirSnarf, your very own fake SW AP.
http://airsnarf.shmoo.com/
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
In Mozilla 1.5, win32, the link in the title bar looks like/ interne t_explorer_address_bar_spoofing_test/
http://www.Microsoft.com[]
Except it's the square charactar, not two brackets.
The actual link in the address bar looks like this:
http://www.microsoft.com%01%00@secunia.com
I'm not concerned.
Apparantly Mozilla Firebird 0.7 is not affected by this, in that it won't show the actual fake URL. I just tested it now with Zap's example and had this show up.
:D
e cu rity/ex01/vun2.htm
It still said Microsoft of course but it didn't show only www.microsoft.com, thank god.
http://www.microsoft.com%01@zapthedingbat.com/s
You must master your joystick like a fisherman masters bait! - Gimpy
If you still want to use IE, use it with Avant browser wrapper. It displays the URL correctly in the address bar. And it has a tabbed interface and pop-up and Flash blocking.
Doubt.It, The comic
Comment removed based on user account deletion
While the big boys at Redmond scratch their balls all day tring to come up with their next licensing scheme, an unknown outfit that goes by the name of Opensoft has released a security patch that fixes the new IE flaw that allows scammers to spoof the address bar. The patch, its source code, and detailed explanation of the bug including an example can be found at security.openwares.org
Mozilla is not vulnerable to the address-bar spoofing, but it IS (for now) vulnerable to the status-bar (hover) spoofing. However there's a bug report filed in bugzilla (228176 if anyone cares to look it up, not goint to /. bugzilla though) to fix it.