Slashdot Mirror
New IE Bug Hides Real Site Address
Norman at Davis writes "ZDNet is running a story on a new security flaw in Microsoft's Internet Explorer which could let hackers use a technique to display a false Web address on a fake site according to an advisory from the Danish security company Secunia. The Danes report that 'the vulnerability is caused due to an input validation error, which can be exploited by including the "%01" URL encoded representation after the username and right before the "@" character in an URL.' PC World reports that 'Microsoft says it is investigating reports of the vulnerability. When that inquiry is complete, the company will take whatever steps it deems necessary, such as issuing a new patch, a spokesperson says.' And for good measure, here's what Google news is covering on it right now."
for paypal where there are so many redirect scams.
"It's so convenient to have a system where everyone is a criminal" - A. Hitler
Nice. Wonder if they're going to break their word again and distribute yet another patch during december.
Still this seems like a major flaw - For the last 3 months I've been recommending to all my friends and family to start using Mozilla. Not saying it's perfect but there's a lot less flaws than IE.
tom-george.comBecause geeks rate higher t
http://www.zapthedingbat.com/security/ex01/vun1.ht m
http://www.microsoft.com/ie_advisory@%01goatse.cx
All that bizarre crap on the SCO website must actually be The Onion playing games...?
Is pretty compelling (spoofs Microsoft.com):
t m
http://www.zapthedingbat.com/security/ex01/vun1.h
There is no bug, and there will be no patches in December! We will reveal the vulnerabilities of the infidels and they shall tower over our own!
I don't really get them sometimes, honestly. Is this sort of like their being a SARS outbreak in New York and the CDC saying that they won't look into it for a month?
Click here [ZapTheDingBat.com] to see an example of how it is done...
Opera and Mozilla (at least firebird) handles it properly :-)
Why not just pull IE from the market altogether and tell everybody to download Mozilla and get on with their lives?
Not only would all the IE security problems be gone (in favor of Mozilla security problems, granted, but I suspect those would be more tractable), but we'd also finally have everybody using a browser that actually supported web standards! (Yeah, IE is pretty close nowadays, but I found out recently that simple Java 1.4 applet embedding just won't work from IE if you use the basic codetype="application/java" standard, even if you've downoaded Java 1.4, whereas it does work from Mozilla.)
-Rob
'Microsoft says it is investigating reports of the vulnerability. When that inquiry is complete, the company will take whatever steps it deems necessary, such as issuing a new patch
lets just hope they release the patch on purpose this time
wud
Secunia rated the vulnerability as "moderately critical."
How long will it be before someone finds a "critically critical" uber-flaw.
$ strings FTP.EXE | grep Copyright
@(#) Copyright (c) 1983 The Regents of the University of California.
I've found that people are more likely to encounter these sort of things via e-mail, and that they lend themselves quite easily to fraud/theft. Hopefully, Microsoft will release a patch for this even though it's December, because this will no doubt find its way into (illegitimate) spammers' arsenals.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
In God We Trust, Others We Monitor
I think the nature of humans to run on autopilot, and that will pull more people in than anything else. A correct-looking url will just add a few more to the gullible.
My boss in 2001 was a pretty cluey guy most of the time. Into his mailbox came one of the eBay scams. "Re-enter your username and password etc and we'll have your records up to date, otherwise your eBay account will be deleted". Partway through doing this he got a bit confused by the process, and I picked up immediately it's not an ebay address. I pointed that out to him. the email's fake. a scammer looking for a way to make a quick scam using his ebay account.
What's he do? goes straight to the main eBay site and starts looking for the equivalent page - he was still on the track of "Must update my ebay account details". It didn't even enter his head that the scam was a COMPLETE scam. half an hour later he's asking again whether or not maybe he should use the URL in the email because he didn't want to lose his eBay account.
A fake URL might catch a few more, but it's peoples attitude, trust of random emails, and acting on autopilot regarding emails that come into their mailbox that catches more than anything else IMHO
Strangely IE 5.2 on OS X.2 is seemingly immune. Wouldn't the two logically use similar codebases and thus be vulnerable to the same attacks?
I used to get high on life, but I developed a tolerance. Now I need something stronger.
click on the test button on this page.... it's quite scary.
;)
Of course, you have to use Internet Explorer to see it.
Internet Explorer is usually found under C:\Program Files\Internet Explorer
What is your version-number? Mine is 6.0.2800.1106, and I can confirm that its working (infortunately)...
Have tried some examples? Such as this one? [zapthedingbat.com]
mebbe someone spoofed your shortcut to point at Internet%20Explorer%01@Mozilla
$ strings FTP.EXE | grep Copyright
@(#) Copyright (c) 1983 The Regents of the University of California.
Comment removed based on user account deletion
The people who patch immediately are basically immune to this anyway - we're not idiots. We know there is no time that PayPal would send us an email even directing us to their site to ask for a password. It's the people that need auto-update every damn day that will fall prey to this.
Sure, most of us patch/encourage updates of those around us, but even that might take some time. There will still easily be weeks of January where "Verify your PayPal account for free Valentine's chocolates sent to your significant other" emails will be rampant.
I like the idea of more predictability to patches, but I don't think it's feasible for reasons like this. The only way to predict when a patch will be needed is to set a schedule for their issue, and then immediately after that all the security problems will be exploited that have been found. i.e. in January serious problems found in December will come out and we'll have hell from then in January. Come the patch for January, all the problems found in January will crawl out, and we'll have hell again.
This will continue, ad extremum nauseum.
Enough ranting, I'll propose a solution. Windows is shipped with an auto-update immediately feature for home users who wouldn't dream of making a configuration change. Then there is a monthly patch that rolls everything together, and Update can be set to use that instead for appropriate machines that are administrated appropriately with users aware of issues. Or perhaps security issues are patched immediately and the latest WMP functionality gets put in the same patch with all the driver updates, etc. that can seriously wait a couple of weeks instead of everyone having to reboot their machines an extra half dozen times a month. There - that's two ideas off the top of my head that I would take over our current state of affairs in a heartbeat.
The only thing more dangerous than a file named -rf is renaming it -rf\ /
Comment removed based on user account deletion
Personally I think this is one of the worst security holes I've seen in ages. Why? - very easy to do and very useful if you're trying to do something fraudulent. I don't understand why they rated this "moderately critical" - personally I think it should be rated "super critical with mayo and large fries and a banana shake (with chocolate sprinklings)"
At least I've been having more success pushing alternatives to MS when scary MS articles come out.
I find giving people the link (or installing it myself) to the Firebird installer and showing them how multiple homepages, pop-up blocking, and tabs work usually wows them.
I'd much rather field some tech support questions about Moz than deal with a frantic relative or friend telling me how all the money in their bank account was stolen by "internet theives."
Paypal et al should be pushing for more secure browsers on their site. I don't see how this could be a business conflict with MS. Paypal has a lot to gain by simply suggesting there are more secure browsers out there.
Do you really believe that the same stupid coding error would appear in three different implementations by three different organisations? It's not a flaw in the HTTP protocol's GET request method, it's a flaw in Microsoft's URL handler.
zWhat would an EWOULDBLOCK block, if an EWOULDBLOCK could block would? -- me
It would be possible (trivial?) to put a feature in our favourite open source browser to give a security warning when you visit such a URL. Just something that tells you about the possibility that you're at a site different to the one you think you're at. It would just need to ensure that the actual domain is made obvious. eg.
You would just need to search for 'www.' or one of the TLDs in the part of the URL before the @ sign.
Why is anything anything?
Does IE know its being tricked, or does it know the real site and just display the wrong one?
:/
I'm wondering if some shady types could use this exploit to get your cookies for any site of their choosing.. that just might be a slight problem
Are you sure? I tested Mozilla using this page and it worked correctly. I tested the same page using IE and the url came up "www.microsoft.com".
Yes, I know you're a troll. But I figured anybody who might be fooled by your outstanding writing should be able to click on a link and test their own browsers.
Also, I should note that Opera actually gave me a pop-up warning that I was sending a username to the site - the username www.microsoft.com - and after I agreed to do that I got a page with the correct url. Has anybody else tested this on other browsers?
I really hate signatures, but go to my website.
If MS browser actually displays everything on the address bar without filtering of any sort, problem would not have existed.
Just another example of a solution that solves a problem that doesn't exist and creates security holes.
This article at securityfocus says IE 6 and possibly earlier versions of IE. No Mozilla, Netscape, Opera, Links, Safari, Konq, Firebird, etc.
A great many people think they are thinking when they are merely rearranging their prejudices. -- William James
The problem is that it looks like it affects them all.
That is not the case, if it was, it would be a design flaw in html. This is just a case of different handling of an error condition.
I saw a post somewhere that said that the vulnerability works with either a ascii 1 or an ascii 0 character before the "@".
Here are 2 exploit pages that I just created, that just have a link to http://slashdot.org @goatse.cx.
ASCII 0
ASCII 1
(Below are the browsers I just happen to have installed)
IE6 for windows (for sake of having a control):
0 brings you to goatse.cx with http://goatse.cx in the address bar
1 brings you to goatse.cx with http://slashdot.org in the address bar
Opera 7.23 for windows and Opera 7.11 for FreeBSD:
0 brings you to slashdot.org with http://slashdot.org in the address bar
1 brings you to goatse.cx with http://slashdot.org^@goatse.cx/ in the address bar, where ^ is ASCII 1.
Note: Opera brought up a dialog box warning you that the link was to a site with a username in the URL on the ASCII 1 link.
Mozilla Firebird 0.7 for windows and Mozilla 1.5 for Windows:
0 brings you to slashdot.org with http://slashdot.org in the address bar
1 brings you to goatse.cx with http://slashdot.org%01@goatse.cx/ in the address bar
So of the browsers tested, the vulnerability only works in IE, and only for ASCII 1.
Your credit card information wants to be free.
- Win IE 6.0
- Mac IE 1.5
- Win Mozilla 1.4.1
- Mac Mozilla 1.4
The only one affected was Win IE.If any Mozilla versions later than 1.4.1 were to be affected, I'm willing to bet the Mozilla release would be patched within a day, whereas Microsoft would take a minimum of two weeks and a max of maybe never.
- First they ignore you, then they laugh at you, then ???, then profit.
Firebird 0.7 DOES show the spoofed address in the status bar, but with an odd character after the URL. However, it shows the real, spoofed URL in the address bar.
Create a local document:
Note that thanks to Slashdot the code is munged. Remember to remove the extra-Slashdot-added spaces.
Open this up in Internet Explorer and you'll see the text, with the "%01" character helpfully encoded into the string for you. Copy this string into another document:
Note that in this example, the encoded "%01" has been stripped out by Slashdot. Your copy & pasted string will include this character (It may appear as an empty "Box" symbol)
Save & open the file in Internet Explorer. Surprise!
But wait! There's more! If the user hovers over the link they'll see a funny looking URL in the status bar. We can fix that, though. Edit your file and add the "%00" to that URL E.g.
Again, the encoded "%01" has been stripped by Slashdot. Ensure that you add the "%00" after the encoded "%01" or this won't work. Now save the file again, and re-open it in IE. Now where does that link go?
Feeling lucky, punk?
It's covered in RFC 1738. Look for section 3.1 Common Internet Scheme Syntax.
Basically, it allows you to specify a username and possibly a password as part of a URL. http://w:x@y.com says to connect to y.com with username w, password x. The URL http://w@x.com means to connect to x.com with username w. This is not in particularly common use for HTTP, but it can be useful for sites that use HTTP authentication.
Web servers ignore the username and password if you connect to a page that doesn't require authentication, so for most sites, everything before the @ is simply ignored.
So this really is part of a standard, and it exists for a good reason. It's not a redirection at all, but simply a part of the URL standard that isn't used often enough for people to know what it means. The whole spoofing this is a completely unintended consequence of that.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
As for this particular problem, as always Bashdork makes it seem like the end of the world, front and center. Check the other responses on this article - Mozilla is also vulnerable. I'm running Mozilla 1.6a (2003110515) and I see the "http://www.microsoft.com/" URL on the Secunia spoof page. This kind of puts it in perspective, eh?
Mozilla is an excellent browser, that's for sure. But it is what it is because IE4 raised the bar so high (compared to NSN) that there was really nowhere to go. I personally use both, and I'm glad that Mozilla is (finally) giving IE a run for its money. But to go from embarrassed silence to this... well, as so many other areas where open source had to play catch up, the FUD tends to convey the idea that Microsoft has always produced non-functional "crap" and everyone else has been running circles around them forever.
Very funny. Oh, and the "economy cereal" thing? Brilliant. I've heard the same thing said about Mozilla (albeit with a different angle), with its 40-second load times and cluncky one-size-fits-all non standard GUI. Not that I'd agree though. But hey, don't let that put a dent in your superb flaming skillz.
And let's see how long it takes for the Mozilla folks to patch this one. And of course, for all those people running older builds to actually download and install.
Hollllly shit. MS needs to patch this like...two weeks ago.
Someone is going to make a lot of money with this. For an example of this in action(harmlessly):
http://crayz.dyndns.org/test.html
Who says MS doesn't release patches faster than Linux?
g /p ub/mozilla.org/firebird/releases/0.7/MozillaFirebi rd-0.7-win32.zip
www.microsoft.com/ie/download%01@ftp.mozilla.or
Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?