Slashdot Mirror
New IE Bug Hides Real Site Address
Norman at Davis writes "ZDNet is running a story on a new security flaw in Microsoft's Internet Explorer which could let hackers use a technique to display a false Web address on a fake site according to an advisory from the Danish security company Secunia. The Danes report that 'the vulnerability is caused due to an input validation error, which can be exploited by including the "%01" URL encoded representation after the username and right before the "@" character in an URL.' PC World reports that 'Microsoft says it is investigating reports of the vulnerability. When that inquiry is complete, the company will take whatever steps it deems necessary, such as issuing a new patch, a spokesperson says.' And for good measure, here's what Google news is covering on it right now."
In case anyone is wondering, this doesn't appear to affect IE on mac. When I click the test exploit link on http://www.zapthedingbat.com/security/ex01/vun1.ht m it simply turns into http://www.microsoft.com%01@zapthedingbat.com/secu rity/ex01/vun2.htm
The problem is that it looks like it affects them all.
If I understand what they are saying, if you put a %01 before the @ symbol then the address bar will display one address while going to a different one. Guess what, so does just putting the @ symbol
http://www.zdnet.com@slashdot.org
I'm still not really sure what the problem is. Even if the bug removed the @slashdot.org, it just means that those of us that actually pay attention to the address bar might get fooled. Most people don't pay any attention to the address bar, and wouldn't think twice about seeing an @ symbol there.
Random Musings
On three occasions, with two different users, I have observed that Netscape/Mozilla profiles have disappeared following Microsoft update. Just a concidence? Perhaps, but after the third occurrence I have become suspicious.
One time I played with the application that let's you set your default browser and email package - the thing that Microsoft had to do because of the DOJ ruling. It completely screwed up Mozilla - it actually renamed files in the Mozilla directory, I kid you not. I couldn't believe it. I had to reinstall. I bet some ass at MS put some code in like this:
if ( mozillaInstalled and ((random (100) ==1) )
screwUpMozilla();
More importantly why aren't banking sites suggesting users use Moz? Some could argue that if they knew this in advance they are liable for being negligent, like leaving the vault door open.
It would only be fair to see a link to Moz and Opera on banking sites and suggesting people use these browsers for maximum privacy and security.
It would be possible (trivial?) to put a feature in our favourite open source browser to give a security warning when you visit such a URL. Just something that tells you about the possibility that you're at a site different to the one you think you're at. It would just need to ensure that the actual domain is made obvious. eg.
You would just need to search for 'www.' or one of the TLDs in the part of the URL before the @ sign.
Why is anything anything?
Ahem. Mozilla *is* strict, plain and simple, but only if you use the proper doctype definition. If you don't you probably don't care about "strict" rendering anyway.
I don't use Opera, but I suspect the same is true. If it isn't, then why would you want a browser that intentionally misrenders pages for which the author did not clearly state a doctype? Aren't you just hurting yourself?
ideal:
doctype def == strict or "standards" rendering
no doctype == loose
This way you get to see most sites on the web, and those authors who have taken the care to craft their pages properly get their pages rendered in the fashion in which they intended.
*everything* is Orwellian to cats.
sorry to disapoint you. the article doesn't mention this but according to someone on bugtraq some versions of mozilla are also affected
It's not a mozilla/ie issue, it's a social issue. Mozilla is likely to have its share of egregious security holes (but probably not as many). Even if patches are released within hours of the discovery of a bug, the likelihood that joe user will install the patch is slim. We can all hoot and holler-- install Mozilla! but if Mozilla gained majority market share, people would still fail to take the time to patch their systems, and it's inevitable that moz security bugs will be discovered too.
So long, and thanks for all the Phish
Why people keep on using Internet Explorer is a mystery to me
Lots of us aren't given a choice. Our desktops at work are locked down, so normal users can't install or change the software available.
My desktop machine is so locked down that I can't adjust the clock. I have to put in a formal request to IT to have it done whenever the clock gets too far away from reality. And then another request for them to set it to the correct time in my time zone, not theirs.
At home, it's a differnt story. Mozilla on FreeBSD!
---
"I can't complain, but sometimes still do..." Joe Walsh
Does IE know its being tricked, or does it know the real site and just display the wrong one?
:/
I'm wondering if some shady types could use this exploit to get your cookies for any site of their choosing.. that just might be a slight problem
Are you sure? I tested Mozilla using this page and it worked correctly. I tested the same page using IE and the url came up "www.microsoft.com".
Yes, I know you're a troll. But I figured anybody who might be fooled by your outstanding writing should be able to click on a link and test their own browsers.
Also, I should note that Opera actually gave me a pop-up warning that I was sending a username to the site - the username www.microsoft.com - and after I agreed to do that I got a page with the correct url. Has anybody else tested this on other browsers?
I really hate signatures, but go to my website.
The fact that it works in Netscape 7 means that it should work in Firebird as well. However, Banks tend to be very anal about your client software, and many of them will block browsers that they haven't specifically tested.
Also, Firebird is BETA software. There's been cookie bugs and so on in the Moz dev branch, it's semi-reasonable that security-sensitive companies don't want to support half-baked software.
Your experience would be consistent with mine. As I mentioned, Update routinely sets the default mailer to Outlook, and I have to reset it using the DOJ-mandated tool. So it could be that the tool is messing me up rather than the update. But it is still a consequence of the update, and still evil.
If indeed the tool is the culprit, it may be easier than I had originally thought to reproduce the problem, and hence build a case against Microsoft. At least a case against their software. Proving intent would be another matter.
I was baffled to discover that my browser (Firebird) supports the @ redirection at all. I've been unable to uncover any W3C or RFC standard that covers it, though presumably one exists. Can somebody point me to it?
Perhaps that would explain why such a silly feature exists at all. It seems to have no other purpose than for spoofing.
Could someone tell me how you can stop images from animating in firebird? You say the interface is better, but I can't find it.
Have you tried using the Mozilla Zip file version, as opposed to the installer version? Essentially, install goes like:
I used it to put Moz on the Windows Ex-Privacy machines at my uni with just my user account. Naturally, you can't change the "System Access Preferences" or whatever it's called since it'd be completely assinine for anyone but Administrator to let the user choose what browser they prefer to use....
Anti-Trust Penalties my ass.
--
Given enough personal experience, all stereotypes are shallow.
The "less enlightened" will do no such thing, because they already believe that Microsoft are the only company which understands technology and does all the innovation, and thus believe everything else that Microsoft tells them (including the traditional marketing line "You can do anything you want with Windows Beagle, the fastest, most secure, most private and easiest-to-use Windows ever!").
They won't even have the wit to realise that other web browsers exist, let alone go looking for them and install them.
Microsoft is fostering an attitude of technological ignorance- under a guise of ease of use- because it's easy to exploit the ignorant.
One more trivial tell to drop crap e-mails from my inbox.
If an e-mail contains the characters "%01@" or "%00@" kill it.
I can't think of any reason why those strings of characters would legitimatly found in an e-mail.
This "exploit" has very very few practical applications that would actually fool anybody. No legitimate company sends out an e-mail asking to verify your information by clicking on a link. This doesn't change anything in that area. So instead of telling grandma not to click on links in e-mails that look "suspicious" how about telling her simply to not divulge any information to web-sites that ask for that information through an e-mail.
If PayPal needs to verify your information they ask AFTER you log in. They may send an e-mail saying they need you to log into your account to take care of something.
So for a real world example, if Grandma get's an e-mail from "PayPal" or her "bank" telling her that she needs to validate some information tell her to open her browser and go to her bank's web-site the old fashioned way of typing it in, to log into her account and then see if any notices are there.
If not, the e-mail is a fake. If a notice is there, do what the notice says on the site.
Simple lesson for grandma: Never click on a click from an e-mail to verify information. ALWAYS manually type in the URL for the company you're involved with asking for your information, log in, and THEN look for notices and do what they say. Grandma should already know not to give information to companies she has no knowledge about.
Anyone throwing up their hands about having to reteach grandma, didn't teach grandma properly in the first.
There's a very generic object lesson here that has zero to do trying to see if a URL is being sneaky that you should have taught her years ago when the first "click here to update your info" scams came through.
Ben
Work Safe Porn
Create a local document:
Note that thanks to Slashdot the code is munged. Remember to remove the extra-Slashdot-added spaces.
Open this up in Internet Explorer and you'll see the text, with the "%01" character helpfully encoded into the string for you. Copy this string into another document:
Note that in this example, the encoded "%01" has been stripped out by Slashdot. Your copy & pasted string will include this character (It may appear as an empty "Box" symbol)
Save & open the file in Internet Explorer. Surprise!
But wait! There's more! If the user hovers over the link they'll see a funny looking URL in the status bar. We can fix that, though. Edit your file and add the "%00" to that URL E.g.
Again, the encoded "%01" has been stripped by Slashdot. Ensure that you add the "%00" after the encoded "%01" or this won't work. Now save the file again, and re-open it in IE. Now where does that link go?
Feeling lucky, punk?
To nuke this exploit from links you follow on a website (it won't help if you follow it from an e-mail or paste it into the address box, but if you are duped by that, they you probably aren't reading slashdot) you can ad this rule to the proxomitron (or a similar one to Privoxy, and open source equivilent)
and it will do a nice job of blocking all of these links.
take this example email to a corporate user from a malicious person. the email is a simple example, i'm sure other more complex examples can be created:
s it e.com/username_and_password_verification.html
To: corporate user
From: corporate help desk
Subject: MANDATORY: Username and password verification
Last night, one of our authentication servers went down and we need to rebuild the our database. To make this process easier for us, please use the form below to verify your username and password.
http://our.corporate.intranet%01@www.malicious_
Thank you for your cooperation.
IT Help Desk
===
i can't believe that MS is just considering a patch for this. i would write to your corporate internet security officer and urge this person to take a look at this MS IE vulnerability and also to switch to Mozilla. this could be mozilla's chance.
Why did I lurk so long before registering for a Slashdot account? I could have had a Slashdot ID of less than 100000.
This is a good point - It seems quite unlikely that Mozilla has fewer flaws than IE. Over the years that Mozilla has been in existance the number of bugs it has had numbers in the hundreds of thousands, and that is with only 1-15% market share spotting them (depending on the site and your stat source).
Also, who knows how many flaws IE has; there's no bugzIE. But there are millions of random pages documenting them, probably owing to the vast user base.
But the real issue is, of course, not how many flaws the browsers have, but their severity. Mozilla is specifically designed to protect the average user from malicious code where IE seems to ask for it at every turn. You can't run ActiveX scripts by default in Mozilla, and the plugin that allows it does not allow modification of your files. You can't run .exe files from the address bar. There is no priviledged access to the system.
And yet, it's this kind of flaw, the kind that deals with browsing specifically--hiding urls, misdirection--that all browsers are susceptible to. The difference here? Mozilla would have a patch in 1 hour and most of its users wouldn't download it until the next major version, if then; IE would have a patch in 1-7 days and it would be delivered through windows update, most of the time. I would go with the microsoft system in principle if it weren't for it's being closed source and unmonitorable. It seems to me that with this kind of exploit, the real flaw is in how people use their computers. People have to care about security for it to be realized. I'm not saying that everyone should have to head over to mozilla.org and download 7 megs of the latest patched version every time something like this shows up - that's hard on all users, and impossible for many. But also, people should be given ultimate control of their system and still be allowed to be secure. If you snub Windows Update, you're obscenely open to attack. A system like Linux is ideal, because if you require it you can change anything about your software but still establish a simple, auditable system for security updates. Sadly though, a solution simple enough for everyone, outside of a networked, administered environment, has yet to be created in my opinion, and the problems of these security flaws will continue to plague thousands.