Slashdot Mirror

← Back to Stories (view on slashdot.org)

New IE Bug Hides Real Site Address

Posted by michael on from the can't-blame-the-user-for-this-one dept.

Norman at Davis writes "ZDNet is running a story on a new security flaw in Microsoft's Internet Explorer which could let hackers use a technique to display a false Web address on a fake site according to an advisory from the Danish security company Secunia. The Danes report that 'the vulnerability is caused due to an input validation error, which can be exploited by including the "%01" URL encoded representation after the username and right before the "@" character in an URL.' PC World reports that 'Microsoft says it is investigating reports of the vulnerability. When that inquiry is complete, the company will take whatever steps it deems necessary, such as issuing a new patch, a spokesperson says.' And for good measure, here's what Google news is covering on it right now."

19 of 683 comments (clear)

  1. This bodes ill by panxerox · · Score: 5, Insightful

    for paypal where there are so many redirect scams.

    --
    "It's so convenient to have a system where everyone is a criminal" - A. Hitler
    1. Re:This bodes ill by glpierce · · Score: 5, Funny

      ...and Slashdot, where there are so many people trying to get you to look at goatse

      --
      G
    2. Re:This bodes ill by rifter · · Score: 5, Insightful

      for paypal where there are so many redirect scams.

      You're telling me, buddy. Unfortunately Microsoft is not aware that this occurs at all, ever. This is a good example of how unaware they are in general. Meanwhile...

      Microsoft did not set a timetable for its investigation, but said it may eventually release a patch to address the problem. Meanwhile, the company recommended that people follow basic security procedures, including the use of firewalls, software updates and antivirus software.

      So I should use firewalls and antivirus software. Riiiight. Doesn't address this vulnerability in the slightest. How about I don't use MS software for business-critical financial transactions. Especially since they "may" release a patch. Someday. Like they did for the 1001 other vulnerabilities they did not wnat reported.

      Microsoft faulted security mavens for publicizing the flaw, implying that they hadn't given Microsoft sufficient time to craft a patch.

      "Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk," the statement reads. "We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality patches for security vulnerabilities with no exposure to malicious attackers while the patch is being developed."

      So customers should not be warned that they might be fooled into giving their money to thieves/terrorists because it might embarrass Microsoft. That is irresponsible in itself. Besides Microsoft does not fix vulnerabilities unless they are widely publicized enough that CNN is reporting them and CEOs understand them. Again the only responsible thing to do is to advocate Mozilla for financial transactions.

  2. Link to POC test by Anonymous Coward · · Score: 5, Informative

    http://www.zapthedingbat.com/security/ex01/vun1.ht m

  3. See also by lamery · · Score: 5, Funny

    http://www.microsoft.com/ie_advisory@%01goatse.cx

  4. That would explain a lot by Anonymous Coward · · Score: 5, Funny

    All that bizarre crap on the SCO website must actually be The Onion playing games...?

  5. Word from the Microsoft Information Minister by JavaSavant · · Score: 5, Funny

    There is no bug, and there will be no patches in December! We will reveal the vulnerabilities of the infidels and they shall tower over our own!

    I don't really get them sometimes, honestly. Is this sort of like their being a SARS outbreak in New York and the CDC saying that they won't look into it for a month?

  6. The patch they should issue! by rknop · · Score: 5, Insightful

    Why not just pull IE from the market altogether and tell everybody to download Mozilla and get on with their lives?

    Not only would all the IE security problems be gone (in favor of Mozilla security problems, granted, but I suspect those would be more tractable), but we'd also finally have everybody using a browser that actually supported web standards! (Yeah, IE is pretty close nowadays, but I found out recently that simple Java 1.4 applet embedding just won't work from IE if you use the basic codetype="application/java" standard, even if you've downoaded Java 1.4, whereas it does work from Mozilla.)

    -Rob

  7. Re:Not patching this month...... by Pelorat · · Score: 5, Funny

    Actually, if they're going to break promises, that's a good one to start with.

  8. Not a problem in Opera by rbb · · Score: 5, Informative
    Why people keep on using Internet Explorer is a mystery to me, as these problems have been solved ages ago in browsers like for example Opera:
    Security warning: you are about to go to an address containing a username:

    username: www.paypal.com
    server: rc6.org

    Are you sure you want to go to this address?
    --
    In God We Trust, Others We Monitor
  9. Human nature will pull people in more by Amiga+Lover · · Score: 5, Insightful

    I think the nature of humans to run on autopilot, and that will pull more people in than anything else. A correct-looking url will just add a few more to the gullible.

    My boss in 2001 was a pretty cluey guy most of the time. Into his mailbox came one of the eBay scams. "Re-enter your username and password etc and we'll have your records up to date, otherwise your eBay account will be deleted". Partway through doing this he got a bit confused by the process, and I picked up immediately it's not an ebay address. I pointed that out to him. the email's fake. a scammer looking for a way to make a quick scam using his ebay account.

    What's he do? goes straight to the main eBay site and starts looking for the equivalent page - he was still on the track of "Must update my ebay account details". It didn't even enter his head that the scam was a COMPLETE scam. half an hour later he's asking again whether or not maybe he should use the URL in the email because he didn't want to lose his eBay account.

    A fake URL might catch a few more, but it's peoples attitude, trust of random emails, and acting on autopilot regarding emails that come into their mailbox that catches more than anything else IMHO

  10. IE Mac is fine by wolrahnaes · · Score: 5, Informative

    Strangely IE 5.2 on OS X.2 is seemingly immune. Wouldn't the two logically use similar codebases and thus be vulnerable to the same attacks?

    --
    I used to get high on life, but I developed a tolerance. Now I need something stronger.
  11. check here to test your browser by nikster · · Score: 5, Informative

    click on the test button on this page.... it's quite scary.

    Of course, you have to use Internet Explorer to see it.

    Internet Explorer is usually found under C:\Program Files\Internet Explorer ;)

  12. Comment removed by account_deleted · · Score: 5, Funny

    Comment removed based on user account deletion

  13. Scares the pants off me... by pubjames · · Score: 5, Insightful

    Personally I think this is one of the worst security holes I've seen in ages. Why? - very easy to do and very useful if you're trying to do something fraudulent. I don't understand why they rated this "moderately critical" - personally I think it should be rated "super critical with mayo and large fries and a banana shake (with chocolate sprinklings)"

  14. Re:That isn't much better though! by Finuvir · · Score: 5, Interesting

    It would be possible (trivial?) to put a feature in our favourite open source browser to give a security warning when you visit such a URL. Just something that tells you about the possibility that you're at a site different to the one you think you're at. It would just need to ensure that the actual domain is made obvious. eg.

    The site you are visiting may be attempting to masquerade as a different site. The site actualDomain.com appears to be masquerading as apparentDomain.com.

    Visit the real apparentDomain.com (link)

    [ ] Don't show this warning in future. (checkbox)

    You would just need to search for 'www.' or one of the TLDs in the part of the URL before the @ sign.

    --
    Why is anything anything?
  15. Similar IE bug by sopuli · · Score: 5, Interesting
    A little experimentation with this bug yielded another similar bug. The following bit of html:
    <a href="http://www.sco.com%00@www.fsf.org">click me</a>
    when this is displayed in IE, and you hover the mouse over the link, it will display "www.sco.com" in the in the status bar, but when you click it, it will take you to "www.fsf.org". I'll leave it to the reader to replace the latter link with a more offensive one...
  16. Re:Not patching this month...... by jdreed1024 · · Score: 5, Informative
    The problem is that it looks like it affects them all.

    If I understand what they are saying, if you put a %01 before the @ symbol then the address bar will display one address while going to a different one. Guess what, so does just putting the @ symbol

    http://www.zdnet.com@slashdot.org

    No, no, you're missing the point. Yes, that URL you mentioned will take you to slashdot and not zdnet, fine. But you'll see it in the location bar and know it's a fake. However, with this exploit, if you put a URL encoded ASCII "NUL" (%00) or "SOH" (%01) in the URL, the location bar will not display the @symbol or anything after it. Thus:

    http://www.yahoo.com%01@www.0wnz0red.com/0wn-j00.h tml

    will take people to the "0wn-j00.html" page on 0wnz0red.com, however the location bar will only display:

    http://www.yahoo.com

    Assuming 0wnz0red.com is a well-done forgery, even the most clueful geek would have a really, really, really, hard time telling that he's at anything but yahoo.com. (yeah, yeah, netstat and firewalls and all that, but that's not the point)

    And before you all say it's only %01, it's not - it's %00 as well as %01. Go read the secunia link.

    --
    There is no sig, there is only Zuul.
  17. HowTo Exploit by Anonymous Coward · · Score: 5, Interesting
    Here is a one-stop guide to exploting this.

    Create a local document:
    <html><body>
    <script language="javascript">
    document.write(unescape('h ttp://www.google.com%01@www.yahoo.com'));
    </scrip t>
    </body></html>
    Note that thanks to Slashdot the code is munged. Remember to remove the extra-Slashdot-added spaces.

    Open this up in Internet Explorer and you'll see the text, with the "%01" character helpfully encoded into the string for you. Copy this string into another document:
    <html><body>
    <a href="http://www.google.com@www.yahoo.com">Google< /a>
    </body></html>
    Note that in this example, the encoded "%01" has been stripped out by Slashdot. Your copy & pasted string will include this character (It may appear as an empty "Box" symbol)

    Save & open the file in Internet Explorer. Surprise!

    But wait! There's more! If the user hovers over the link they'll see a funny looking URL in the status bar. We can fix that, though. Edit your file and add the "%00" to that URL E.g.
    <html><body>
    <a href="http://www.google.com%00@www.yahoo.com">Goog le</a>
    </body></html>
    Again, the encoded "%01" has been stripped by Slashdot. Ensure that you add the "%00" after the encoded "%01" or this won't work. Now save the file again, and re-open it in IE. Now where does that link go?

    Feeling lucky, punk?