Slashdot Mirror

← Back to Stories (view on slashdot.org)

New IE Bug Hides Real Site Address

Posted by michael on from the can't-blame-the-user-for-this-one dept.

Norman at Davis writes "ZDNet is running a story on a new security flaw in Microsoft's Internet Explorer which could let hackers use a technique to display a false Web address on a fake site according to an advisory from the Danish security company Secunia. The Danes report that 'the vulnerability is caused due to an input validation error, which can be exploited by including the "%01" URL encoded representation after the username and right before the "@" character in an URL.' PC World reports that 'Microsoft says it is investigating reports of the vulnerability. When that inquiry is complete, the company will take whatever steps it deems necessary, such as issuing a new patch, a spokesperson says.' And for good measure, here's what Google news is covering on it right now."

22 of 683 comments (clear)

  1. This bodes ill by panxerox · · Score: 5, Insightful

    for paypal where there are so many redirect scams.

    --
    "It's so convenient to have a system where everyone is a criminal" - A. Hitler
    1. Re:This bodes ill by doon · · Score: 4, Insightful

      Like the avg user that falls for the paypal scam knows what a dns server is. Most people believe/trust everything they read in e-mail as long as the "from" address looks right or it looks official. This one might be rough since it might catch the "smarter" users that at least look at the address bar. Hopefully they will realize that it isn't under ssl, and there is now cert, so that they shouldn't do anything, but I am not holding my breath.

      --
      To E-mail me, replace the first period in my domain with an @
    2. Re:This bodes ill by rifter · · Score: 5, Insightful

      for paypal where there are so many redirect scams.

      You're telling me, buddy. Unfortunately Microsoft is not aware that this occurs at all, ever. This is a good example of how unaware they are in general. Meanwhile...

      Microsoft did not set a timetable for its investigation, but said it may eventually release a patch to address the problem. Meanwhile, the company recommended that people follow basic security procedures, including the use of firewalls, software updates and antivirus software.

      So I should use firewalls and antivirus software. Riiiight. Doesn't address this vulnerability in the slightest. How about I don't use MS software for business-critical financial transactions. Especially since they "may" release a patch. Someday. Like they did for the 1001 other vulnerabilities they did not wnat reported.

      Microsoft faulted security mavens for publicizing the flaw, implying that they hadn't given Microsoft sufficient time to craft a patch.

      "Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk," the statement reads. "We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality patches for security vulnerabilities with no exposure to malicious attackers while the patch is being developed."

      So customers should not be warned that they might be fooled into giving their money to thieves/terrorists because it might embarrass Microsoft. That is irresponsible in itself. Besides Microsoft does not fix vulnerabilities unless they are widely publicized enough that CNN is reporting them and CEOs understand them. Again the only responsible thing to do is to advocate Mozilla for financial transactions.

    3. Re:This bodes ill by MarkGriz · · Score: 2, Insightful

      If you read slashdot regularly and *still* use IE, you've got bigger problems than the occasional redirect to Mr. Goatse. How it is that any informed, intelligent person still uses that POS software is beyond me.

      Go ahead and mod me flamebait if you must. I've got karma to burn. Besides, what good is all that karma if you can't share it. Merry Christmas.

      --
      Beauty is in the eye of the beerholder.
  2. Not patching this month...... by dew-genen-ny · · Score: 4, Insightful

    Nice. Wonder if they're going to break their word again and distribute yet another patch during december.

    Still this seems like a major flaw - For the last 3 months I've been recommending to all my friends and family to start using Mozilla. Not saying it's perfect but there's a lot less flaws than IE.

    --
    tom-george.comBecause geeks rate higher t
  3. The patch they should issue! by rknop · · Score: 5, Insightful

    Why not just pull IE from the market altogether and tell everybody to download Mozilla and get on with their lives?

    Not only would all the IE security problems be gone (in favor of Mozilla security problems, granted, but I suspect those would be more tractable), but we'd also finally have everybody using a browser that actually supported web standards! (Yeah, IE is pretty close nowadays, but I found out recently that simple Java 1.4 applet embedding just won't work from IE if you use the basic codetype="application/java" standard, even if you've downoaded Java 1.4, whereas it does work from Mozilla.)

    -Rob

  4. These are pretty nasty bugs. by Sheetrock · · Score: 4, Insightful

    I've found that people are more likely to encounter these sort of things via e-mail, and that they lend themselves quite easily to fraud/theft. Hopefully, Microsoft will release a patch for this even though it's December, because this will no doubt find its way into (illegitimate) spammers' arsenals.

    --

    Try not. Do or do not, there is no try.
    -- Dr. Spock, stardate 2822-3.




  5. Human nature will pull people in more by Amiga+Lover · · Score: 5, Insightful

    I think the nature of humans to run on autopilot, and that will pull more people in than anything else. A correct-looking url will just add a few more to the gullible.

    My boss in 2001 was a pretty cluey guy most of the time. Into his mailbox came one of the eBay scams. "Re-enter your username and password etc and we'll have your records up to date, otherwise your eBay account will be deleted". Partway through doing this he got a bit confused by the process, and I picked up immediately it's not an ebay address. I pointed that out to him. the email's fake. a scammer looking for a way to make a quick scam using his ebay account.

    What's he do? goes straight to the main eBay site and starts looking for the equivalent page - he was still on the track of "Must update my ebay account details". It didn't even enter his head that the scam was a COMPLETE scam. half an hour later he's asking again whether or not maybe he should use the URL in the email because he didn't want to lose his eBay account.

    A fake URL might catch a few more, but it's peoples attitude, trust of random emails, and acting on autopilot regarding emails that come into their mailbox that catches more than anything else IMHO

  6. Not so bad from a different point of view by castlec · · Score: 2, Insightful

    As bad as this may seem, perhaps it will push users into other browsers. Microsoft has already said that future IE versions will only be available through an OS upgrade. Perhaps the less enlightened will become enlightened when they find that IE X.X is no longer supported and [insert vulnerablity here] can only be fixed with an OS upgrade because you can't just get an IE upgrade. Maybe then, the less enlightened will just get another browser and then be enlightened.

    --
    When I tell an object to delete this, am I killing it or telling it to kill me?
    1. Re:Not so bad from a different point of view by castlec · · Score: 2, Insightful

      I can't disagree with you, but I can hope. You forget to realize that it eventually comes to money. No one really wants to spend more of it right now. Mention free and ears do start to pop up a bit. Free fix, or $150 upgrade??? Free fix, or $150 upgrade??? Some will choose to leave the dark side.

      --
      When I tell an object to delete this, am I killing it or telling it to kill me?
  7. The patch problem, two-fold by LilJC · · Score: 3, Insightful
    The issue of "read my lips, no new patches" (for December) here is obvious. But now we have two problems. It normally takes a month for a fraction of end users to update even after a patch is issued. Even if this patch is issued immediately when MS said it can be, do you really think that people are going to wake up bright and aware after New Year's Eve and patch their machines?

    The people who patch immediately are basically immune to this anyway - we're not idiots. We know there is no time that PayPal would send us an email even directing us to their site to ask for a password. It's the people that need auto-update every damn day that will fall prey to this.

    Sure, most of us patch/encourage updates of those around us, but even that might take some time. There will still easily be weeks of January where "Verify your PayPal account for free Valentine's chocolates sent to your significant other" emails will be rampant.

    I like the idea of more predictability to patches, but I don't think it's feasible for reasons like this. The only way to predict when a patch will be needed is to set a schedule for their issue, and then immediately after that all the security problems will be exploited that have been found. i.e. in January serious problems found in December will come out and we'll have hell from then in January. Come the patch for January, all the problems found in January will crawl out, and we'll have hell again.

    This will continue, ad extremum nauseum.

    Enough ranting, I'll propose a solution. Windows is shipped with an auto-update immediately feature for home users who wouldn't dream of making a configuration change. Then there is a monthly patch that rolls everything together, and Update can be set to use that instead for appropriate machines that are administrated appropriately with users aware of issues. Or perhaps security issues are patched immediately and the latest WMP functionality gets put in the same patch with all the driver updates, etc. that can seriously wait a couple of weeks instead of everyone having to reboot their machines an extra half dozen times a month. There - that's two ideas off the top of my head that I would take over our current state of affairs in a heartbeat.

    --

    The only thing more dangerous than a file named -rf is renaming it -rf\ /
  8. Comment removed by account_deleted · · Score: 4, Insightful

    Comment removed based on user account deletion

  9. Scares the pants off me... by pubjames · · Score: 5, Insightful

    Personally I think this is one of the worst security holes I've seen in ages. Why? - very easy to do and very useful if you're trying to do something fraudulent. I don't understand why they rated this "moderately critical" - personally I think it should be rated "super critical with mayo and large fries and a banana shake (with chocolate sprinklings)"

  10. Funny thing about this. by Anonymous Coward · · Score: 1, Insightful

    Here is IE with closed source and no matter what, it is always the worse nightmare for security out of all browsers, of which almost all they others are OSS.

    Lets hope that in about 3-4 years from now, longhorn will have been decently designed to do thing right.

  11. Now is the time to Push Mozilla and Firebird by gad_zuki! · · Score: 4, Insightful

    At least I've been having more success pushing alternatives to MS when scary MS articles come out.

    I find giving people the link (or installing it myself) to the Firebird installer and showing them how multiple homepages, pop-up blocking, and tabs work usually wows them.

    I'd much rather field some tech support questions about Moz than deal with a frantic relative or friend telling me how all the money in their bank account was stolen by "internet theives."

    Paypal et al should be pushing for more secure browsers on their site. I don't see how this could be a business conflict with MS. Paypal has a lot to gain by simply suggesting there are more secure browsers out there.

  12. Come on ... by zonix · · Score: 4, Insightful

    Do you really believe that the same stupid coding error would appear in three different implementations by three different organisations? It's not a flaw in the HTTP protocol's GET request method, it's a flaw in Microsoft's URL handler.

    z
    --
    What would an EWOULDBLOCK block, if an EWOULDBLOCK could block would? -- me
  13. Re:Not a problem in Opera by Anonymous Coward · · Score: 1, Insightful

    Opera is more secure indeed. That's not the only reason why we love it, it's

    faster

    smaller

    got more features

    Those are the main things really, there's way more to it, so just check it out at www.opera.com

  14. Results of dumbing down UI by Wolfier · · Score: 3, Insightful

    If MS browser actually displays everything on the address bar without filtering of any sort, problem would not have existed.

    Just another example of a solution that solves a problem that doesn't exist and creates security holes.

  15. Re:Why is it slashdot never reports...... by The+Bungi · · Score: 3, Insightful
    This is very interesting. When the "best" alternative to IE was that piece of unbridled crap closed source Netscape Navigator you wouldn't hear a peep from anyone about "standards". Mozilla and friends have been viable products for what, a year and a half? And now IE is a piece of crap.

    As for this particular problem, as always Bashdork makes it seem like the end of the world, front and center. Check the other responses on this article - Mozilla is also vulnerable. I'm running Mozilla 1.6a (2003110515) and I see the "http://www.microsoft.com/" URL on the Secunia spoof page. This kind of puts it in perspective, eh?

    Mozilla is an excellent browser, that's for sure. But it is what it is because IE4 raised the bar so high (compared to NSN) that there was really nowhere to go. I personally use both, and I'm glad that Mozilla is (finally) giving IE a run for its money. But to go from embarrassed silence to this... well, as so many other areas where open source had to play catch up, the FUD tends to convey the idea that Microsoft has always produced non-functional "crap" and everyone else has been running circles around them forever.

    Very funny. Oh, and the "economy cereal" thing? Brilliant. I've heard the same thing said about Mozilla (albeit with a different angle), with its 40-second load times and cluncky one-size-fits-all non standard GUI. Not that I'd agree though. But hey, don't let that put a dent in your superb flaming skillz.

    And let's see how long it takes for the Mozilla folks to patch this one. And of course, for all those people running older builds to actually download and install.

  16. MOD PARENT UP by crayz · · Score: 4, Insightful

    Hollllly shit. MS needs to patch this like...two weeks ago.

    Someone is going to make a lot of money with this. For an example of this in action(harmlessly):

    http://crayz.dyndns.org/test.html

  17. Gotta love microsoft's response by jerrytcow · · Score: 2, Insightful

    Microsoft did not set a timetable for its investigation, but said it may eventually release a patch to address the problem. Meanwhile, the company recommended that people follow basic security procedures, including the use of firewalls, software updates and antivirus software.

    How many people are going to give their credit card/bank/paypal info to these sites thinking they are safe because they have norton antivirus or zone alarm running. They are basically telling people not to worry when this is a huge security flaw - the only way to be safe is to type the URL in instead of following links.

  18. I'm gonna be RICH ! by Anonymous Coward · · Score: 1, Insightful

    I'm going to change all the users profiles on our network so that their start page is some kind of nasty scat porn site using this special url. Then when everyone starts complaining that the company homepage has been hacked, I'll then proceed to rack up some serious overtime bucks just in time for Christmas. ( This could take a long time to fix !)

    Thanks Microsoft!