Slashdot Mirror

← Back to Stories (view on slashdot.org)

New IE Bug Hides Real Site Address

Posted by michael on from the can't-blame-the-user-for-this-one dept.

Norman at Davis writes "ZDNet is running a story on a new security flaw in Microsoft's Internet Explorer which could let hackers use a technique to display a false Web address on a fake site according to an advisory from the Danish security company Secunia. The Danes report that 'the vulnerability is caused due to an input validation error, which can be exploited by including the "%01" URL encoded representation after the username and right before the "@" character in an URL.' PC World reports that 'Microsoft says it is investigating reports of the vulnerability. When that inquiry is complete, the company will take whatever steps it deems necessary, such as issuing a new patch, a spokesperson says.' And for good measure, here's what Google news is covering on it right now."

5 of 683 comments (clear)

  1. Link to POC test by Anonymous Coward · · Score: 5, Informative

    http://www.zapthedingbat.com/security/ex01/vun1.ht m

  2. Not a problem in Opera by rbb · · Score: 5, Informative
    Why people keep on using Internet Explorer is a mystery to me, as these problems have been solved ages ago in browsers like for example Opera:
    Security warning: you are about to go to an address containing a username:

    username: www.paypal.com
    server: rc6.org

    Are you sure you want to go to this address?
    --
    In God We Trust, Others We Monitor
  3. IE Mac is fine by wolrahnaes · · Score: 5, Informative

    Strangely IE 5.2 on OS X.2 is seemingly immune. Wouldn't the two logically use similar codebases and thus be vulnerable to the same attacks?

    --
    I used to get high on life, but I developed a tolerance. Now I need something stronger.
  4. check here to test your browser by nikster · · Score: 5, Informative

    click on the test button on this page.... it's quite scary.

    Of course, you have to use Internet Explorer to see it.

    Internet Explorer is usually found under C:\Program Files\Internet Explorer ;)

  5. Re:Not patching this month...... by jdreed1024 · · Score: 5, Informative
    The problem is that it looks like it affects them all.

    If I understand what they are saying, if you put a %01 before the @ symbol then the address bar will display one address while going to a different one. Guess what, so does just putting the @ symbol

    http://www.zdnet.com@slashdot.org

    No, no, you're missing the point. Yes, that URL you mentioned will take you to slashdot and not zdnet, fine. But you'll see it in the location bar and know it's a fake. However, with this exploit, if you put a URL encoded ASCII "NUL" (%00) or "SOH" (%01) in the URL, the location bar will not display the @symbol or anything after it. Thus:

    http://www.yahoo.com%01@www.0wnz0red.com/0wn-j00.h tml

    will take people to the "0wn-j00.html" page on 0wnz0red.com, however the location bar will only display:

    http://www.yahoo.com

    Assuming 0wnz0red.com is a well-done forgery, even the most clueful geek would have a really, really, really, hard time telling that he's at anything but yahoo.com. (yeah, yeah, netstat and firewalls and all that, but that's not the point)

    And before you all say it's only %01, it's not - it's %00 as well as %01. Go read the secunia link.

    --
    There is no sig, there is only Zuul.