New IE Bug Hides Real Site Address

Norman at Davis writes "ZDNet is running a story on a new security flaw in Microsoft's Internet Explorer which could let hackers use a technique to display a false Web address on a fake site according to an advisory from the Danish security company Secunia. The Danes report that 'the vulnerability is caused due to an input validation error, which can be exploited by including the "%01" URL encoded representation after the username and right before the "@" character in an URL.' PC World reports that 'Microsoft says it is investigating reports of the vulnerability. When that inquiry is complete, the company will take whatever steps it deems necessary, such as issuing a new patch, a spokesperson says.' And for good measure, here's what Google news is covering on it right now."

This bodes ill

[panxerox]

for paypal where there are so many redirect scams.

Re:This bodes ill

[glpierce]

...and Slashdot, where there are so many people trying to get you to look at goatse

Re:This bodes ill

[doon]

Like the avg user that falls for the paypal scam knows what a dns server is. Most people believe/trust everything they read in e-mail as long as the "from" address looks right or it looks official. This one might be rough since it might catch the "smarter" users that at least look at the address bar. Hopefully they will realize that it isn't under ssl, and there is now cert, so that they shouldn't do anything, but I am not holding my breath.

Re:This bodes ill

[Bobulusman]

Actually, although someone will probably prove me wrong, you couldn't do this with a slashdot link. You have to use the unescape command, and I don't see a way to do that with the allowed HTML.

I'm sure it's main 'use' will be HTML e-mails which lead consumers to fake ebay and paypal sites.

Re:This bodes ill

[metlin]

You're correct.

I even tried various combinations, including a javascript: in the href tag and it did not work -

<a href="javascript:location.href=unescape('http://ww w.microsoft.com%01@zapthedingbat.com/security/ex01 /vun2.htm')">test</a>

Not as bad as it could be. Atleast not yet.

Re:This bodes ill

[rifter]

for paypal where there are so many redirect scams.

You're telling me, buddy. Unfortunately Microsoft is not aware that this occurs at all, ever. This is a good example of how unaware they are in general. Meanwhile...

Microsoft did not set a timetable for its investigation, but said it may eventually release a patch to address the problem. Meanwhile, the company recommended that people follow basic security procedures, including the use of firewalls, software updates and antivirus software.

So I should use firewalls and antivirus software. Riiiight. Doesn't address this vulnerability in the slightest. How about I don't use MS software for business-critical financial transactions. Especially since they "may" release a patch. Someday. Like they did for the 1001 other vulnerabilities they did not wnat reported.

Microsoft faulted security mavens for publicizing the flaw, implying that they hadn't given Microsoft sufficient time to craft a patch.

"Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk," the statement reads. "We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality patches for security vulnerabilities with no exposure to malicious attackers while the patch is being developed."

So customers should not be warned that they might be fooled into giving their money to thieves/terrorists because it might embarrass Microsoft. That is irresponsible in itself. Besides Microsoft does not fix vulnerabilities unless they are widely publicized enough that CNN is reporting them and CEOs understand them. Again the only responsible thing to do is to advocate Mozilla for financial transactions.

Not patching this month......

[dew-genen-ny]

Nice. Wonder if they're going to break their word again and distribute yet another patch during december.

Still this seems like a major flaw - For the last 3 months I've been recommending to all my friends and family to start using Mozilla. Not saying it's perfect but there's a lot less flaws than IE.

Re:Not patching this month......

[Pelorat]

Actually, if they're going to break promises, that's a good one to start with.

Re:Not patching this month......

[leifm]

I'd recommend Firebird over Mozilla. While I still like Moz a lot I've started using Firebird 98% of the time, it integrates with Windows a bit better, it's faster, and the interface is simplier. And over the last year to year and a half almost every site seems to render correctly with Gecko based browsers, leaving only Windows Update and other ActiveX dependent sites needing IE. IE was a good browser in it's day, but MS has let it stagnate pretty much since 4.0. They're going to have to do more than just add pop-ip blocking for me to use it with any regularity again.

Re:Not patching this month......

[jdreed1024]

The problem is that it looks like it affects them all.

If I understand what they are saying, if you put a %01 before the @ symbol then the address bar will display one address while going to a different one. Guess what, so does just putting the @ symbol

http://www.zdnet.com@slashdot.org

No, no, you're missing the point. Yes, that URL you mentioned will take you to slashdot and not zdnet, fine. But you'll see it in the location bar and know it's a fake. However, with this exploit, if you put a URL encoded ASCII "NUL" (%00) or "SOH" (%01) in the URL, the location bar will not display the @symbol or anything after it. Thus:

http://www.yahoo.com%01@www.0wnz0red.com/0wn-j00.h tml

will take people to the "0wn-j00.html" page on 0wnz0red.com, however the location bar will only display:

http://www.yahoo.com

Assuming 0wnz0red.com is a well-done forgery, even the most clueful geek would have a really, really, really, hard time telling that he's at anything but yahoo.com. (yeah, yeah, netstat and firewalls and all that, but that's not the point)

And before you all say it's only %01, it's not - it's %00 as well as %01. Go read the secunia link.

Re:Not patching this month......

[Anml4ixoye]

Is this going to break anything useful?

Yes, things like FTP logins rely on that. URLs are subsets of URIs which have a lot more useful things.

For example, if you need to go to a FTP site that has a login, you can type in your address bar:

ftp://user:pass@ftp.mysite.com

That will automatically log you in with your user name and password. You could also do just:

user@ftp.mysite.com

And it will prompt you for your password

Link to POC test

http://www.zapthedingbat.com/security/ex01/vun1.ht m

See also

[lamery]

http://www.microsoft.com/ie_advisory@%01goatse.cx

Re:See also

[karevoll]

The %01 part should come _before_ the @... and no, it is not just as simple as this... the url must also be unescaped..

See Here [DevGuru] if you don't know what to 'unescape' means...

(Yes, this means that it will be difficult pulling this one off over i.e IRC, where special characters don't necessarily show up on other peoples terminals)

That would explain a lot

All that bizarre crap on the SCO website must actually be The Onion playing games...?

Word from the Microsoft Information Minister

[JavaSavant]

There is no bug, and there will be no patches in December! We will reveal the vulnerabilities of the infidels and they shall tower over our own!

I don't really get them sometimes, honestly. Is this sort of like their being a SARS outbreak in New York and the CDC saying that they won't look into it for a month?

A demonstration

[karevoll]

Click here [ZapTheDingBat.com] to see an example of how it is done...

Opera and Mozilla (at least firebird) handles it properly :-)

The patch they should issue!

[rknop]

Why not just pull IE from the market altogether and tell everybody to download Mozilla and get on with their lives?

Not only would all the IE security problems be gone (in favor of Mozilla security problems, granted, but I suspect those would be more tractable), but we'd also finally have everybody using a browser that actually supported web standards! (Yeah, IE is pretty close nowadays, but I found out recently that simple Java 1.4 applet embedding just won't work from IE if you use the basic codetype="application/java" standard, even if you've downoaded Java 1.4, whereas it does work from Mozilla.)

-Rob

Re:The patch they should issue!

[gad_zuki!]

More importantly why aren't banking sites suggesting users use Moz? Some could argue that if they knew this in advance they are liable for being negligent, like leaving the vault door open.

It would only be fair to see a link to Moz and Opera on banking sites and suggesting people use these browsers for maximum privacy and security.

Re:The patch they should issue!

[robbo]

It's not a mozilla/ie issue, it's a social issue. Mozilla is likely to have its share of egregious security holes (but probably not as many). Even if patches are released within hours of the discovery of a bug, the likelihood that joe user will install the patch is slim. We can all hoot and holler-- install Mozilla! but if Mozilla gained majority market share, people would still fail to take the time to patch their systems, and it's inevitable that moz security bugs will be discovered too.

MicrowhocaresjustuseandOSOS

[wud]

'Microsoft says it is investigating reports of the vulnerability. When that inquiry is complete, the company will take whatever steps it deems necessary, such as issuing a new patch

lets just hope they release the patch on purpose this time

These are pretty nasty bugs.

[Sheetrock]

I've found that people are more likely to encounter these sort of things via e-mail, and that they lend themselves quite easily to fraud/theft. Hopefully, Microsoft will release a patch for this even though it's December, because this will no doubt find its way into (illegitimate) spammers' arsenals.

Re:The example misuse

[dema]

In case anyone is wondering, this doesn't appear to affect IE on mac. When I click the test exploit link on http://www.zapthedingbat.com/security/ex01/vun1.ht m it simply turns into http://www.microsoft.com%01@zapthedingbat.com/secu rity/ex01/vun2.htm

Not a problem in Opera

[rbb]

Why people keep on using Internet Explorer is a mystery to me, as these problems have been solved ages ago in browsers like for example Opera:

Security warning: you are about to go to an address containing a username:

username: www.paypal.com
server: rc6.org

Are you sure you want to go to this address?

Re:Not a problem in Opera

[EnVisiCrypt]

Ahem. Mozilla *is* strict, plain and simple, but only if you use the proper doctype definition. If you don't you probably don't care about "strict" rendering anyway.

I don't use Opera, but I suspect the same is true. If it isn't, then why would you want a browser that intentionally misrenders pages for which the author did not clearly state a doctype? Aren't you just hurting yourself?

ideal:
doctype def == strict or "standards" rendering
no doctype == loose

This way you get to see most sites on the web, and those authors who have taken the care to craft their pages properly get their pages rendered in the fashion in which they intended.

Human nature will pull people in more

[Amiga+Lover]

I think the nature of humans to run on autopilot, and that will pull more people in than anything else. A correct-looking url will just add a few more to the gullible.

My boss in 2001 was a pretty cluey guy most of the time. Into his mailbox came one of the eBay scams. "Re-enter your username and password etc and we'll have your records up to date, otherwise your eBay account will be deleted". Partway through doing this he got a bit confused by the process, and I picked up immediately it's not an ebay address. I pointed that out to him. the email's fake. a scammer looking for a way to make a quick scam using his ebay account.

What's he do? goes straight to the main eBay site and starts looking for the equivalent page - he was still on the track of "Must update my ebay account details". It didn't even enter his head that the scam was a COMPLETE scam. half an hour later he's asking again whether or not maybe he should use the URL in the email because he didn't want to lose his eBay account.

A fake URL might catch a few more, but it's peoples attitude, trust of random emails, and acting on autopilot regarding emails that come into their mailbox that catches more than anything else IMHO

IE Mac is fine

[wolrahnaes]

Strangely IE 5.2 on OS X.2 is seemingly immune. Wouldn't the two logically use similar codebases and thus be vulnerable to the same attacks?

Re:IE Mac is fine

[Talthane]

No, the Mac and PC versions of IE have nothing to do with one another beyond a superficial similarity in looks. The Mac version of IE has often been ahead of its bigger brother in terms of standards compliance and suchlike - for example, IE 5.2 does not require the CSS "box model hack" that you have to use to get some sites to render properly in IE 5.5 on Windows. They have a totally different codebase - Microsoft just made use of a name with high brand recognition.

check here to test your browser

[nikster]

click on the test button on this page.... it's quite scary.

Of course, you have to use Internet Explorer to see it.

Internet Explorer is usually found under C:\Program Files\Internet Explorer ;)

Re:Works fine on IE

[maharg]

mebbe someone spoofed your shortcut to point at Internet%20Explorer%01@Mozilla

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Scares the pants off me...

[pubjames]

Personally I think this is one of the worst security holes I've seen in ages. Why? - very easy to do and very useful if you're trying to do something fraudulent. I don't understand why they rated this "moderately critical" - personally I think it should be rated "super critical with mayo and large fries and a banana shake (with chocolate sprinklings)"

Now is the time to Push Mozilla and Firebird

[gad_zuki!]

At least I've been having more success pushing alternatives to MS when scary MS articles come out.

I find giving people the link (or installing it myself) to the Firebird installer and showing them how multiple homepages, pop-up blocking, and tabs work usually wows them.

I'd much rather field some tech support questions about Moz than deal with a frantic relative or friend telling me how all the money in their bank account was stolen by "internet theives."

Paypal et al should be pushing for more secure browsers on their site. I don't see how this could be a business conflict with MS. Paypal has a lot to gain by simply suggesting there are more secure browsers out there.

Come on ...

[zonix]

Do you really believe that the same stupid coding error would appear in three different implementations by three different organisations? It's not a flaw in the HTTP protocol's GET request method, it's a flaw in Microsoft's URL handler.

z

Re:That isn't much better though!

[Finuvir]

It would be possible (trivial?) to put a feature in our favourite open source browser to give a security warning when you visit such a URL. Just something that tells you about the possibility that you're at a site different to the one you think you're at. It would just need to ensure that the actual domain is made obvious. eg.

The site you are visiting may be attempting to masquerade as a different site. The site actualDomain.com appears to be masquerading as apparentDomain.com.

Visit the real apparentDomain.com (link)

[ ] Don't show this warning in future. (checkbox)

You would just need to search for 'www.' or one of the TLDs in the part of the URL before the @ sign.

Similar IE bug

[sopuli]

A little experimentation with this bug yielded another similar bug. The following bit of html:

<a href="http://www.sco.com%00@www.fsf.org">click me</a>

when this is displayed in IE, and you hover the mouse over the link, it will display "www.sco.com" in the in the status bar, but when you click it, it will take you to "www.fsf.org". I'll leave it to the reader to replace the latter link with a more offensive one...

Exposed Cookies?

[Terragen]

Does IE know its being tricked, or does it know the real site and just display the wrong one?

I'm wondering if some shady types could use this exploit to get your cookies for any site of their choosing.. that just might be a slight problem :/

Firebird fails in the status bar, sort of

[burgburgburg]

Firebird 0.7 DOES show the spoofed address in the status bar, but with an odd character after the URL. However, it shows the real, spoofed URL in the address bar.

HowTo Exploit

Here is a one-stop guide to exploting this.

Create a local document:

<html><body>
<script language="javascript">
document.write(unescape('h ttp://www.google.com%01@www.yahoo.com'));
</scrip t>
</body></html>

Note that thanks to Slashdot the code is munged. Remember to remove the extra-Slashdot-added spaces.

Open this up in Internet Explorer and you'll see the text, with the "%01" character helpfully encoded into the string for you. Copy this string into another document:

<html><body>
<a href="http://www.google.com@www.yahoo.com">Google< /a>
</body></html>

Note that in this example, the encoded "%01" has been stripped out by Slashdot. Your copy & pasted string will include this character (It may appear as an empty "Box" symbol)

Save & open the file in Internet Explorer. Surprise!

But wait! There's more! If the user hovers over the link they'll see a funny looking URL in the status bar. We can fix that, though. Edit your file and add the "%00" to that URL E.g.

<html><body>
<a href="http://www.google.com%00@www.yahoo.com">Goog le</a>
</body></html>

Again, the encoded "%01" has been stripped by Slashdot. Ensure that you add the "%00" after the encoded "%01" or this won't work. Now save the file again, and re-open it in IE. Now where does that link go?

Feeling lucky, punk?

MOD PARENT UP

[crayz]

Hollllly shit. MS needs to patch this like...two weeks ago.

Someone is going to make a lot of money with this. For an example of this in action(harmlessly):

http://crayz.dyndns.org/test.html