Slashdot Mirror
New IE Bug Hides Real Site Address
Norman at Davis writes "ZDNet is running a story on a new security flaw in Microsoft's Internet Explorer which could let hackers use a technique to display a false Web address on a fake site according to an advisory from the Danish security company Secunia. The Danes report that 'the vulnerability is caused due to an input validation error, which can be exploited by including the "%01" URL encoded representation after the username and right before the "@" character in an URL.' PC World reports that 'Microsoft says it is investigating reports of the vulnerability. When that inquiry is complete, the company will take whatever steps it deems necessary, such as issuing a new patch, a spokesperson says.' And for good measure, here's what Google news is covering on it right now."
for paypal where there are so many redirect scams.
"It's so convenient to have a system where everyone is a criminal" - A. Hitler
Nice. Wonder if they're going to break their word again and distribute yet another patch during december.
Still this seems like a major flaw - For the last 3 months I've been recommending to all my friends and family to start using Mozilla. Not saying it's perfect but there's a lot less flaws than IE.
tom-george.comBecause geeks rate higher t
http://www.zapthedingbat.com/security/ex01/vun1.ht m
http://www.microsoft.com/ie_advisory@%01goatse.cx
All that bizarre crap on the SCO website must actually be The Onion playing games...?
Is pretty compelling (spoofs Microsoft.com):
t m
http://www.zapthedingbat.com/security/ex01/vun1.h
There is no bug, and there will be no patches in December! We will reveal the vulnerabilities of the infidels and they shall tower over our own!
I don't really get them sometimes, honestly. Is this sort of like their being a SARS outbreak in New York and the CDC saying that they won't look into it for a month?
Click here [ZapTheDingBat.com] to see an example of how it is done...
Opera and Mozilla (at least firebird) handles it properly :-)
Why not just pull IE from the market altogether and tell everybody to download Mozilla and get on with their lives?
Not only would all the IE security problems be gone (in favor of Mozilla security problems, granted, but I suspect those would be more tractable), but we'd also finally have everybody using a browser that actually supported web standards! (Yeah, IE is pretty close nowadays, but I found out recently that simple Java 1.4 applet embedding just won't work from IE if you use the basic codetype="application/java" standard, even if you've downoaded Java 1.4, whereas it does work from Mozilla.)
-Rob
'Microsoft says it is investigating reports of the vulnerability. When that inquiry is complete, the company will take whatever steps it deems necessary, such as issuing a new patch
lets just hope they release the patch on purpose this time
wud
Secunia rated the vulnerability as "moderately critical."
How long will it be before someone finds a "critically critical" uber-flaw.
$ strings FTP.EXE | grep Copyright
@(#) Copyright (c) 1983 The Regents of the University of California.
No bug in my box from some reason. It works fine on my version IE 6.0 on Windows 2000.
I've found that people are more likely to encounter these sort of things via e-mail, and that they lend themselves quite easily to fraud/theft. Hopefully, Microsoft will release a patch for this even though it's December, because this will no doubt find its way into (illegitimate) spammers' arsenals.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
In God We Trust, Others We Monitor
I think the nature of humans to run on autopilot, and that will pull more people in than anything else. A correct-looking url will just add a few more to the gullible.
My boss in 2001 was a pretty cluey guy most of the time. Into his mailbox came one of the eBay scams. "Re-enter your username and password etc and we'll have your records up to date, otherwise your eBay account will be deleted". Partway through doing this he got a bit confused by the process, and I picked up immediately it's not an ebay address. I pointed that out to him. the email's fake. a scammer looking for a way to make a quick scam using his ebay account.
What's he do? goes straight to the main eBay site and starts looking for the equivalent page - he was still on the track of "Must update my ebay account details". It didn't even enter his head that the scam was a COMPLETE scam. half an hour later he's asking again whether or not maybe he should use the URL in the email because he didn't want to lose his eBay account.
A fake URL might catch a few more, but it's peoples attitude, trust of random emails, and acting on autopilot regarding emails that come into their mailbox that catches more than anything else IMHO
Strangely IE 5.2 on OS X.2 is seemingly immune. Wouldn't the two logically use similar codebases and thus be vulnerable to the same attacks?
I used to get high on life, but I developed a tolerance. Now I need something stronger.
That's pretty elite - can you post your config files on how to do that?
click on the test button on this page.... it's quite scary.
;)
Of course, you have to use Internet Explorer to see it.
Internet Explorer is usually found under C:\Program Files\Internet Explorer
Comment removed based on user account deletion
As bad as this may seem, perhaps it will push users into other browsers. Microsoft has already said that future IE versions will only be available through an OS upgrade. Perhaps the less enlightened will become enlightened when they find that IE X.X is no longer supported and [insert vulnerablity here] can only be fixed with an OS upgrade because you can't just get an IE upgrade. Maybe then, the less enlightened will just get another browser and then be enlightened.
When I tell an object to delete this, am I killing it or telling it to kill me?
The people who patch immediately are basically immune to this anyway - we're not idiots. We know there is no time that PayPal would send us an email even directing us to their site to ask for a password. It's the people that need auto-update every damn day that will fall prey to this.
Sure, most of us patch/encourage updates of those around us, but even that might take some time. There will still easily be weeks of January where "Verify your PayPal account for free Valentine's chocolates sent to your significant other" emails will be rampant.
I like the idea of more predictability to patches, but I don't think it's feasible for reasons like this. The only way to predict when a patch will be needed is to set a schedule for their issue, and then immediately after that all the security problems will be exploited that have been found. i.e. in January serious problems found in December will come out and we'll have hell from then in January. Come the patch for January, all the problems found in January will crawl out, and we'll have hell again.
This will continue, ad extremum nauseum.
Enough ranting, I'll propose a solution. Windows is shipped with an auto-update immediately feature for home users who wouldn't dream of making a configuration change. Then there is a monthly patch that rolls everything together, and Update can be set to use that instead for appropriate machines that are administrated appropriately with users aware of issues. Or perhaps security issues are patched immediately and the latest WMP functionality gets put in the same patch with all the driver updates, etc. that can seriously wait a couple of weeks instead of everyone having to reboot their machines an extra half dozen times a month. There - that's two ideas off the top of my head that I would take over our current state of affairs in a heartbeat.
The only thing more dangerous than a file named -rf is renaming it -rf\ /
No it doesn't. The exploit page linked to in the article displays the full URL with Mozilla 1.5 on my Linux system:
r it y/ex01/vun2.htm
http://www.microsoft.com@zapthedingbat.com/secu
Comment removed based on user account deletion
Personally I think this is one of the worst security holes I've seen in ages. Why? - very easy to do and very useful if you're trying to do something fraudulent. I don't understand why they rated this "moderately critical" - personally I think it should be rated "super critical with mayo and large fries and a banana shake (with chocolate sprinklings)"
How did you come up with that deduction? IE6 is the only f'd up browser I tested. All other browsers display the proper URL.
At least I've been having more success pushing alternatives to MS when scary MS articles come out.
I find giving people the link (or installing it myself) to the Firebird installer and showing them how multiple homepages, pop-up blocking, and tabs work usually wows them.
I'd much rather field some tech support questions about Moz than deal with a frantic relative or friend telling me how all the money in their bank account was stolen by "internet theives."
Paypal et al should be pushing for more secure browsers on their site. I don't see how this could be a business conflict with MS. Paypal has a lot to gain by simply suggesting there are more secure browsers out there.
Do you really believe that the same stupid coding error would appear in three different implementations by three different organisations? It's not a flaw in the HTTP protocol's GET request method, it's a flaw in Microsoft's URL handler.
zWhat would an EWOULDBLOCK block, if an EWOULDBLOCK could block would? -- me
On three occasions, with two different users, I have observed that Netscape/Mozilla profiles have disappeared following Microsoft update. Just a concidence? Perhaps, but after the third occurrence I have become suspicious.
One time I played with the application that let's you set your default browser and email package - the thing that Microsoft had to do because of the DOJ ruling. It completely screwed up Mozilla - it actually renamed files in the Mozilla directory, I kid you not. I couldn't believe it. I had to reinstall. I bet some ass at MS put some code in like this:
if ( mozillaInstalled and ((random (100) ==1) )
screwUpMozilla();
It would be possible (trivial?) to put a feature in our favourite open source browser to give a security warning when you visit such a URL. Just something that tells you about the possibility that you're at a site different to the one you think you're at. It would just need to ensure that the actual domain is made obvious. eg.
You would just need to search for 'www.' or one of the TLDs in the part of the URL before the @ sign.
Why is anything anything?
Even if it's hidden in the address bar, you can do File > Properties to see the full URL.
And no, this bug won't work on slashdot since slashdot removes the username parts of a URL, and also removes the DOS smileyface character from posts.
Actually, I think Finuvir was referring to the general use of '@' in a URL, rather than the use of unescaped %01.
Seems like a damn fine idea to me. If all browsers already had this functionality, It would have prevented this from happening.
From now on this is the link I give my friends to download IE from: http://www.microsoft.com/internetexplorer/%01@mozi lla.org
Does IE know its being tricked, or does it know the real site and just display the wrong one?
:/
I'm wondering if some shady types could use this exploit to get your cookies for any site of their choosing.. that just might be a slight problem
Are you sure? I tested Mozilla using this page and it worked correctly. I tested the same page using IE and the url came up "www.microsoft.com".
Yes, I know you're a troll. But I figured anybody who might be fooled by your outstanding writing should be able to click on a link and test their own browsers.
Also, I should note that Opera actually gave me a pop-up warning that I was sending a username to the site - the username www.microsoft.com - and after I agreed to do that I got a page with the correct url. Has anybody else tested this on other browsers?
I really hate signatures, but go to my website.
If MS browser actually displays everything on the address bar without filtering of any sort, problem would not have existed.
Just another example of a solution that solves a problem that doesn't exist and creates security holes.
When it comes to security, there is no one in Redmond that can even spell the word! Once you understand that all the problems are easy to understand.
Professional Politicians are not the solution, they ARE the problem.
Grr...no link....let's try again.
webpagesthatsuck.com's demo of this exploit
The probability that someone is watching you is directly proportional to the stupidity of your actions.
This article at securityfocus says IE 6 and possibly earlier versions of IE. No Mozilla, Netscape, Opera, Links, Safari, Konq, Firebird, etc.
A great many people think they are thinking when they are merely rearranging their prejudices. -- William James
The problem is that it looks like it affects them all.
That is not the case, if it was, it would be a design flaw in html. This is just a case of different handling of an error condition.
I saw a post somewhere that said that the vulnerability works with either a ascii 1 or an ascii 0 character before the "@".
Here are 2 exploit pages that I just created, that just have a link to http://slashdot.org @goatse.cx.
ASCII 0
ASCII 1
(Below are the browsers I just happen to have installed)
IE6 for windows (for sake of having a control):
0 brings you to goatse.cx with http://goatse.cx in the address bar
1 brings you to goatse.cx with http://slashdot.org in the address bar
Opera 7.23 for windows and Opera 7.11 for FreeBSD:
0 brings you to slashdot.org with http://slashdot.org in the address bar
1 brings you to goatse.cx with http://slashdot.org^@goatse.cx/ in the address bar, where ^ is ASCII 1.
Note: Opera brought up a dialog box warning you that the link was to a site with a username in the URL on the ASCII 1 link.
Mozilla Firebird 0.7 for windows and Mozilla 1.5 for Windows:
0 brings you to slashdot.org with http://slashdot.org in the address bar
1 brings you to goatse.cx with http://slashdot.org%01@goatse.cx/ in the address bar
So of the browsers tested, the vulnerability only works in IE, and only for ASCII 1.
Your credit card information wants to be free.
Your experience would be consistent with mine. As I mentioned, Update routinely sets the default mailer to Outlook, and I have to reset it using the DOJ-mandated tool. So it could be that the tool is messing me up rather than the update. But it is still a consequence of the update, and still evil.
If indeed the tool is the culprit, it may be easier than I had originally thought to reproduce the problem, and hence build a case against Microsoft. At least a case against their software. Proving intent would be another matter.
- Win IE 6.0
- Mac IE 1.5
- Win Mozilla 1.4.1
- Mac Mozilla 1.4
The only one affected was Win IE.If any Mozilla versions later than 1.4.1 were to be affected, I'm willing to bet the Mozilla release would be patched within a day, whereas Microsoft would take a minimum of two weeks and a max of maybe never.
- First they ignore you, then they laugh at you, then ???, then profit.
I was baffled to discover that my browser (Firebird) supports the @ redirection at all. I've been unable to uncover any W3C or RFC standard that covers it, though presumably one exists. Can somebody point me to it?
Perhaps that would explain why such a silly feature exists at all. It seems to have no other purpose than for spoofing.
Like it would be so hard for a group with dubious credentials to acquire a cert. Browsers don't prompt usually so long as the cert is up to date, and from an official cert authority.
Who's going to inspect and notice it wasn't issued to the right corporation?
Well, hopefully any paranoid IE user, for now.
-- perl -e'print pack"H*","6e656d6f406d38792e6f7267"'
One more trivial tell to drop crap e-mails from my inbox.
If an e-mail contains the characters "%01@" or "%00@" kill it.
I can't think of any reason why those strings of characters would legitimatly found in an e-mail.
This "exploit" has very very few practical applications that would actually fool anybody. No legitimate company sends out an e-mail asking to verify your information by clicking on a link. This doesn't change anything in that area. So instead of telling grandma not to click on links in e-mails that look "suspicious" how about telling her simply to not divulge any information to web-sites that ask for that information through an e-mail.
If PayPal needs to verify your information they ask AFTER you log in. They may send an e-mail saying they need you to log into your account to take care of something.
So for a real world example, if Grandma get's an e-mail from "PayPal" or her "bank" telling her that she needs to validate some information tell her to open her browser and go to her bank's web-site the old fashioned way of typing it in, to log into her account and then see if any notices are there.
If not, the e-mail is a fake. If a notice is there, do what the notice says on the site.
Simple lesson for grandma: Never click on a click from an e-mail to verify information. ALWAYS manually type in the URL for the company you're involved with asking for your information, log in, and THEN look for notices and do what they say. Grandma should already know not to give information to companies she has no knowledge about.
Anyone throwing up their hands about having to reteach grandma, didn't teach grandma properly in the first.
There's a very generic object lesson here that has zero to do trying to see if a URL is being sneaky that you should have taught her years ago when the first "click here to update your info" scams came through.
Ben
Work Safe Porn
Firebird 0.7 DOES show the spoofed address in the status bar, but with an odd character after the URL. However, it shows the real, spoofed URL in the address bar.
Create a local document:
Note that thanks to Slashdot the code is munged. Remember to remove the extra-Slashdot-added spaces.
Open this up in Internet Explorer and you'll see the text, with the "%01" character helpfully encoded into the string for you. Copy this string into another document:
Note that in this example, the encoded "%01" has been stripped out by Slashdot. Your copy & pasted string will include this character (It may appear as an empty "Box" symbol)
Save & open the file in Internet Explorer. Surprise!
But wait! There's more! If the user hovers over the link they'll see a funny looking URL in the status bar. We can fix that, though. Edit your file and add the "%00" to that URL E.g.
Again, the encoded "%01" has been stripped by Slashdot. Ensure that you add the "%00" after the encoded "%01" or this won't work. Now save the file again, and re-open it in IE. Now where does that link go?
Feeling lucky, punk?
To nuke this exploit from links you follow on a website (it won't help if you follow it from an e-mail or paste it into the address box, but if you are duped by that, they you probably aren't reading slashdot) you can ad this rule to the proxomitron (or a similar one to Privoxy, and open source equivilent)
and it will do a nice job of blocking all of these links.
take this example email to a corporate user from a malicious person. the email is a simple example, i'm sure other more complex examples can be created:
s it e.com/username_and_password_verification.html
To: corporate user
From: corporate help desk
Subject: MANDATORY: Username and password verification
Last night, one of our authentication servers went down and we need to rebuild the our database. To make this process easier for us, please use the form below to verify your username and password.
http://our.corporate.intranet%01@www.malicious_
Thank you for your cooperation.
IT Help Desk
===
i can't believe that MS is just considering a patch for this. i would write to your corporate internet security officer and urge this person to take a look at this MS IE vulnerability and also to switch to Mozilla. this could be mozilla's chance.
Why did I lurk so long before registering for a Slashdot account? I could have had a Slashdot ID of less than 100000.
As for this particular problem, as always Bashdork makes it seem like the end of the world, front and center. Check the other responses on this article - Mozilla is also vulnerable. I'm running Mozilla 1.6a (2003110515) and I see the "http://www.microsoft.com/" URL on the Secunia spoof page. This kind of puts it in perspective, eh?
Mozilla is an excellent browser, that's for sure. But it is what it is because IE4 raised the bar so high (compared to NSN) that there was really nowhere to go. I personally use both, and I'm glad that Mozilla is (finally) giving IE a run for its money. But to go from embarrassed silence to this... well, as so many other areas where open source had to play catch up, the FUD tends to convey the idea that Microsoft has always produced non-functional "crap" and everyone else has been running circles around them forever.
Very funny. Oh, and the "economy cereal" thing? Brilliant. I've heard the same thing said about Mozilla (albeit with a different angle), with its 40-second load times and cluncky one-size-fits-all non standard GUI. Not that I'd agree though. But hey, don't let that put a dent in your superb flaming skillz.
And let's see how long it takes for the Mozilla folks to patch this one. And of course, for all those people running older builds to actually download and install.
Hollllly shit. MS needs to patch this like...two weeks ago.
Someone is going to make a lot of money with this. For an example of this in action(harmlessly):
http://crayz.dyndns.org/test.html
Microsoft did not set a timetable for its investigation, but said it may eventually release a patch to address the problem. Meanwhile, the company recommended that people follow basic security procedures, including the use of firewalls, software updates and antivirus software.
How many people are going to give their credit card/bank/paypal info to these sites thinking they are safe because they have norton antivirus or zone alarm running. They are basically telling people not to worry when this is a huge security flaw - the only way to be safe is to type the URL in instead of following links.
That it doesn't fool the security zones in IE. If you have a site in your "Trusted Sites" zone, and you try to spoof that site using the mentioned vulnerability, the Address Bar shows false, but the Zone is not fooled. Thank heavens for small miracles.
Wherever you go, there I am...
Who says MS doesn't release patches faster than Linux?
g /p ub/mozilla.org/firebird/releases/0.7/MozillaFirebi rd-0.7-win32.zip
www.microsoft.com/ie/download%01@ftp.mozilla.or
Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?