Slashdot Mirror

← Back to Stories (view on slashdot.org)

New IE Bug Hides Real Site Address

Posted by michael on from the can't-blame-the-user-for-this-one dept.

Norman at Davis writes "ZDNet is running a story on a new security flaw in Microsoft's Internet Explorer which could let hackers use a technique to display a false Web address on a fake site according to an advisory from the Danish security company Secunia. The Danes report that 'the vulnerability is caused due to an input validation error, which can be exploited by including the "%01" URL encoded representation after the username and right before the "@" character in an URL.' PC World reports that 'Microsoft says it is investigating reports of the vulnerability. When that inquiry is complete, the company will take whatever steps it deems necessary, such as issuing a new patch, a spokesperson says.' And for good measure, here's what Google news is covering on it right now."

8 of 683 comments (clear)

  1. Re:The example misuse by dema · · Score: 4, Interesting

    In case anyone is wondering, this doesn't appear to affect IE on mac. When I click the test exploit link on http://www.zapthedingbat.com/security/ex01/vun1.ht m it simply turns into http://www.microsoft.com%01@zapthedingbat.com/secu rity/ex01/vun2.htm

  2. Re:The patch they should issue! by gad_zuki! · · Score: 4, Interesting

    More importantly why aren't banking sites suggesting users use Moz? Some could argue that if they knew this in advance they are liable for being negligent, like leaving the vault door open.

    It would only be fair to see a link to Moz and Opera on banking sites and suggesting people use these browsers for maximum privacy and security.

  3. Re:That isn't much better though! by Finuvir · · Score: 5, Interesting

    It would be possible (trivial?) to put a feature in our favourite open source browser to give a security warning when you visit such a URL. Just something that tells you about the possibility that you're at a site different to the one you think you're at. It would just need to ensure that the actual domain is made obvious. eg.

    The site you are visiting may be attempting to masquerade as a different site. The site actualDomain.com appears to be masquerading as apparentDomain.com.

    Visit the real apparentDomain.com (link)

    [ ] Don't show this warning in future. (checkbox)

    You would just need to search for 'www.' or one of the TLDs in the part of the URL before the @ sign.

    --
    Why is anything anything?
  4. Re:Not a problem in Opera by EnVisiCrypt · · Score: 4, Interesting

    Ahem. Mozilla *is* strict, plain and simple, but only if you use the proper doctype definition. If you don't you probably don't care about "strict" rendering anyway.

    I don't use Opera, but I suspect the same is true. If it isn't, then why would you want a browser that intentionally misrenders pages for which the author did not clearly state a doctype? Aren't you just hurting yourself?

    ideal:
    doctype def == strict or "standards" rendering
    no doctype == loose

    This way you get to see most sites on the web, and those authors who have taken the care to craft their pages properly get their pages rendered in the fashion in which they intended.

    --


    *everything* is Orwellian to cats.
  5. Re:The patch they should issue! by robbo · · Score: 4, Interesting

    It's not a mozilla/ie issue, it's a social issue. Mozilla is likely to have its share of egregious security holes (but probably not as many). Even if patches are released within hours of the discovery of a bug, the likelihood that joe user will install the patch is slim. We can all hoot and holler-- install Mozilla! but if Mozilla gained majority market share, people would still fail to take the time to patch their systems, and it's inevitable that moz security bugs will be discovered too.

    --
    So long, and thanks for all the Phish
  6. Similar IE bug by sopuli · · Score: 5, Interesting
    A little experimentation with this bug yielded another similar bug. The following bit of html:
    <a href="http://www.sco.com%00@www.fsf.org">click me</a>
    when this is displayed in IE, and you hover the mouse over the link, it will display "www.sco.com" in the in the status bar, but when you click it, it will take you to "www.fsf.org". I'll leave it to the reader to replace the latter link with a more offensive one...
  7. Exposed Cookies? by Terragen · · Score: 4, Interesting

    Does IE know its being tricked, or does it know the real site and just display the wrong one?

    I'm wondering if some shady types could use this exploit to get your cookies for any site of their choosing.. that just might be a slight problem :/

  8. HowTo Exploit by Anonymous Coward · · Score: 5, Interesting
    Here is a one-stop guide to exploting this.

    Create a local document:
    <html><body>
    <script language="javascript">
    document.write(unescape('h ttp://www.google.com%01@www.yahoo.com'));
    </scrip t>
    </body></html>
    Note that thanks to Slashdot the code is munged. Remember to remove the extra-Slashdot-added spaces.

    Open this up in Internet Explorer and you'll see the text, with the "%01" character helpfully encoded into the string for you. Copy this string into another document:
    <html><body>
    <a href="http://www.google.com@www.yahoo.com">Google< /a>
    </body></html>
    Note that in this example, the encoded "%01" has been stripped out by Slashdot. Your copy & pasted string will include this character (It may appear as an empty "Box" symbol)

    Save & open the file in Internet Explorer. Surprise!

    But wait! There's more! If the user hovers over the link they'll see a funny looking URL in the status bar. We can fix that, though. Edit your file and add the "%00" to that URL E.g.
    <html><body>
    <a href="http://www.google.com%00@www.yahoo.com">Goog le</a>
    </body></html>
    Again, the encoded "%01" has been stripped by Slashdot. Ensure that you add the "%00" after the encoded "%01" or this won't work. Now save the file again, and re-open it in IE. Now where does that link go?

    Feeling lucky, punk?