Slashdot Mirror

← Back to Stories (view on slashdot.org)

New IE Bug Hides Real Site Address

Posted by michael on from the can't-blame-the-user-for-this-one dept.

Norman at Davis writes "ZDNet is running a story on a new security flaw in Microsoft's Internet Explorer which could let hackers use a technique to display a false Web address on a fake site according to an advisory from the Danish security company Secunia. The Danes report that 'the vulnerability is caused due to an input validation error, which can be exploited by including the "%01" URL encoded representation after the username and right before the "@" character in an URL.' PC World reports that 'Microsoft says it is investigating reports of the vulnerability. When that inquiry is complete, the company will take whatever steps it deems necessary, such as issuing a new patch, a spokesperson says.' And for good measure, here's what Google news is covering on it right now."

5 of 683 comments (clear)

  1. This bodes ill by panxerox · · Score: 5, Insightful

    for paypal where there are so many redirect scams.

    --
    "It's so convenient to have a system where everyone is a criminal" - A. Hitler
    1. Re:This bodes ill by rifter · · Score: 5, Insightful

      for paypal where there are so many redirect scams.

      You're telling me, buddy. Unfortunately Microsoft is not aware that this occurs at all, ever. This is a good example of how unaware they are in general. Meanwhile...

      Microsoft did not set a timetable for its investigation, but said it may eventually release a patch to address the problem. Meanwhile, the company recommended that people follow basic security procedures, including the use of firewalls, software updates and antivirus software.

      So I should use firewalls and antivirus software. Riiiight. Doesn't address this vulnerability in the slightest. How about I don't use MS software for business-critical financial transactions. Especially since they "may" release a patch. Someday. Like they did for the 1001 other vulnerabilities they did not wnat reported.

      Microsoft faulted security mavens for publicizing the flaw, implying that they hadn't given Microsoft sufficient time to craft a patch.

      "Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk," the statement reads. "We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality patches for security vulnerabilities with no exposure to malicious attackers while the patch is being developed."

      So customers should not be warned that they might be fooled into giving their money to thieves/terrorists because it might embarrass Microsoft. That is irresponsible in itself. Besides Microsoft does not fix vulnerabilities unless they are widely publicized enough that CNN is reporting them and CEOs understand them. Again the only responsible thing to do is to advocate Mozilla for financial transactions.

  2. The patch they should issue! by rknop · · Score: 5, Insightful

    Why not just pull IE from the market altogether and tell everybody to download Mozilla and get on with their lives?

    Not only would all the IE security problems be gone (in favor of Mozilla security problems, granted, but I suspect those would be more tractable), but we'd also finally have everybody using a browser that actually supported web standards! (Yeah, IE is pretty close nowadays, but I found out recently that simple Java 1.4 applet embedding just won't work from IE if you use the basic codetype="application/java" standard, even if you've downoaded Java 1.4, whereas it does work from Mozilla.)

    -Rob

  3. Human nature will pull people in more by Amiga+Lover · · Score: 5, Insightful

    I think the nature of humans to run on autopilot, and that will pull more people in than anything else. A correct-looking url will just add a few more to the gullible.

    My boss in 2001 was a pretty cluey guy most of the time. Into his mailbox came one of the eBay scams. "Re-enter your username and password etc and we'll have your records up to date, otherwise your eBay account will be deleted". Partway through doing this he got a bit confused by the process, and I picked up immediately it's not an ebay address. I pointed that out to him. the email's fake. a scammer looking for a way to make a quick scam using his ebay account.

    What's he do? goes straight to the main eBay site and starts looking for the equivalent page - he was still on the track of "Must update my ebay account details". It didn't even enter his head that the scam was a COMPLETE scam. half an hour later he's asking again whether or not maybe he should use the URL in the email because he didn't want to lose his eBay account.

    A fake URL might catch a few more, but it's peoples attitude, trust of random emails, and acting on autopilot regarding emails that come into their mailbox that catches more than anything else IMHO

  4. Scares the pants off me... by pubjames · · Score: 5, Insightful

    Personally I think this is one of the worst security holes I've seen in ages. Why? - very easy to do and very useful if you're trying to do something fraudulent. I don't understand why they rated this "moderately critical" - personally I think it should be rated "super critical with mayo and large fries and a banana shake (with chocolate sprinklings)"