Slashdot Mirror
New URL Spoofing Bug in Pre-SP2 IE
An anonymous reader writes "According to Netcraft a new security flaw has been found in Microsoft Internet Explorer which makes it possible to spoof a URL with just some simple HTML code, by enclosing two URLs and a table within a single href tag. The user will be sent to one site, but the status bar will show a fake URL. The bug apparently affects IE and Outlook Express up to but not including SP2. Firefox and Konqueror seem unaffected."
Comment removed based on user account deletion
This exploit also affects Safari 1.2.3 on Panther.
Patch available here
I just know I saw this somewhere about an hour or two ago, and I'm pretty sure I saw it here on /., but I don't remember where. Oh well...
Old/10 (It's like walking with the dinosaurs! And Jesus is riding them! And the Dell Dude got arrested too! whoamg!)
'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
Worryingly, Safari is also fooled by the bug - the status bar shows http://www.microsoft.com/ before you click on the link, but the address bar in the resulting window correctly shows http://www.google.com/.
"The flaw affects versions of IE up to 6.0.2800.1106 - which includes systems that haven't yet installed Windows XP SP2, but are current on all other critical updates from Windows Update - as well as the Safari browser for Macs."
Is it just me, or is that a typo? My version of Safari (1.2.3 v125.9) seems to handle their sample malformed tag just fine, displaying www.google.com as it should. Can anyone confirm or deny whether Safari is affected by this problem?
What does this mean for Windows 2000 users?
http://graha.ms/iesploit.html
Doesn't seem like anything that couldn't be done with javascript.
If you've got a big in-house project with 12 weeks of work remaning and 9 weeks of calendar time, who do you think is goint to approve applying a patch (SP2) taht could cause conflicts with your design environment?
Is it just my observation, or are there way too many stupid people in the world?
Sure one can argue that one should not use IE, but this is not a terribly good reason or interesting news. It should be quite apparent to IE users however that if they haven't yet installed SP2 you need to do so right away. Running without it is just stupid.
Just tested it with Opera 7.54 for Linux ... if you mouseover the actual text, "google.com" shows in the status bar, but if you position your cursor just exactly so that it's kinda over the URL, but not over any of the text, then you can get "microsoft.com" to show.
... can't you just use Javascript to rewrite the status bar anyway?
But I'm kind of confused as to why this is a big deal
Dlugar
Computer Go: Writing Software to Play the Ancient Game of Go
But your best bet would be to either update or switch to an unaffected browser.
What's worse? IE being vulnerable to spoofed URLs because of malformed HTML, or Firefox crashing because of the same thing?
Gnash Gnash Gnash
FF, reformating the world, one windows box at a time.
Most people i know have no clue about disabling javascript - but they are also the sort that wouldn't thing to look in the status bar.
Quote from the article: "The flaw affects versions of IE up to 6.0.2800.1106 - which includes systems that haven't yet installed Windows XP SP2,"
When will you apologize?
Just tried it myself on Safari v125.9 on 10.3.5; unfortunately the spoof worked.
Hovering over the actual link showed microsoft.com in the status bar, but clicking it did indeed go to google.
However, I can click outside the link on the same line (thanks to the table spanning the entire width of the article box), and it'll go to microsoft.com as indicated in the status bar when howevering over the line.
Last january, Microsoft Advised to Type in URLs Rather than Click. You have been warned early, consider yourself lucky !
<table>t .com</td></tr></table></a>
<tr><td>
<a href="http://www.google.com/">http://www.microsof
Before you mod me funny, think, perhaps I was insightfully funny?
SP2 for what? IE 6? I'm already on SP4 for my Win 2K boxes. Or do we have to all buy XP and apply SP2 for us to brwose safely?
How come Slashdot never gets Slashdotted?
Too bad the original goatse.cx is down, that could be fun. "Hey Jim, check that financial report!"... At least we have mirrors...
I have a lot of users who despite gentle prodding, still use/need Mac IE of the classic and OSX variants. Is this susceptibility there as well?
With my SP2 system I naviagated to http://graha.ms/iesploit.html/ and hovered over the link. This is what I discovered:
If you place the mouse on the link it shows the link will take you to google as it should, but if you place the mouse just outside the link (I guess on the table border) it says microsoft. The kicker is, that when it says Microsoft, clicking the link will not do anything.
http://brandonbloom.name
Safari goes to the wrong URL too.
Just tried the demo and ended up at Google rather than where the link looked like it should go.
Damn!
Konkeror on KDE 3.3.1 draws a transparent table (the one faked on the link) around the link, being both (the link and a small space outside the text link) clickable, but with different destinations. The resulting window (either google or microsoft) has no spoofed url.
Your head a splode
this is what porn sites have been doing for years, for those who want the secret here it comes
u rn false" onmouseover="top.status='http://google.com';return true" onmouseout="top.status='';return true">click here</a>
<a href="http://google.com" onclick="self.location='http://microsoft.com';ret
works on all browsers with JS capabilities by default (even webTV)
jerks who submit stories like this seem to be the only ones doing the exploiting
95% of IE bugs come for table management (too much nested table and it comes up with unknown error, padding and margin, css incompliances, etc etc)
And still 87% of population uses IE 5/6. So like my roommate told me, developpers know FX is better, but we still have to be compliant with IE. Hopefully with the ad coming this may change (though with the predictions of 10% of market be end of 2005 we might design for IE for still the next decade?).
Table being disabled here, At least we cannot do it on Slashdot... and have goatse spam of a new nature.
Of Code And Men
Apache 1.3.32 to be exact, and it was only one potentially problematic bug. They've already released .33 which fixes the problem. Don't try to troll as you phail at it.
'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
Comment removed based on user account deletion
You might as well say that links themselves are a security risk, since a link that says "Microsoft Web Site" but really goes to goatse.cx is a dangerous spoof.
Was originally:
Big. Farking. Deal. :)
Haven't these dorks heard about javascript's onMouseOver? Just go to fark.com and hover over the links.
Neither works in FF, however!
Spoofing bugs are not good, and there's a lot that should be done to fix spoofing, but it's the cross-zone exploits that we really need to worry about. See, 95% of the real security holes in IE come from "security zones". And .NET is just going to embed this design flaw deeper in Windows.
I'll accept screwed up tables if they'll just back out the damn Windows-Explorer integration.
I'm running RC 1 and I see microsoft but it goes to google. But if you look at the source the HTML code is wrong anyhow. Why would you close the anchor tag outside of the table if you put the starting anchor tag in the table. Someone correct me if i'm wrong, please.
So, does this mean IE is dying? I'm confused.
I like big butts and I cannot lie.
Change the html froma href="http://www.google.com/">http://www.microsoft .com</td></tr></table></a> a href="http://www.google.com/">http://www.microsoft .com</a></td></tr></table></a> ;
<a href="http://www.microsoft.com/"><table><tr><td><
to
<a href="http://www.microsoft.com/"><table><tr><td><
(sorry, Extrans mode is breaking the last </a> for some reason there)
and you will notice the status bar says microsoft.com, and clicking it goes to microsoft.com, but middle click for a new tab, and you get google, not what the status bar says!
Morphing Software
That's nothing. *My* father installed SP2 against my recommendation, and the next day a burglar broke into his house and stole most of the silverware!
Since installing firefox, nobody has broken into his house again.
No sig
Acutally, this originally posted by Benjamin Tobias Franz to bugtraq on Oct 28th:
0 04 -10-27/2004-11-02/2
http://www.securityfocus.com/archive/1/379764/2
Thus the credit goes to Benjamin, not Netcraft.
What? Old versions of software have bugs? Even Microsoft programs? Whoa! This is like, the biggest news since, that story about what your Linux distro says about you.
From the article, "The flaw is possible because Internet Explorer has difficulty processing improperly formed HTML". If browsers had been pickier from the start, and refused to try to render improper HTML, perhaps we wouldn't see this sort of bug so often. Of course, now everyone expects to be able to view sites no matter how bad the code, so a 'correct' browser wouldn't be popular. Maybe browsers should start flagging improper HTML as a security risk; might actually get some people's attention.
When I first read "url spoofing", I immediatly thought that this was about spoofing the address displayed in the address bar. This is at least what I have always considered as url spoofing. I figure that "link spoofing" is something that is more descriptive, but knowing the slashdot community this is gonna be bashed quickly. Anyone have a definition of "url spoofing" if this even exist?
Netscape 7.2 is basically Mozilla 1.7(.1?) with AOL addons and ads.
"Actually, I have to say that installing SP2 was not a good idea, atleast in my experience. I installed it on one of my computer systems, and it didn't boot."
Yeah, same here. I installed SP2 on two computers at work last week: one works fine, the other wouldn't even boot after installing. The only choice was to uninstall SP2 and stick with SP1.
It's absolutely retarded for a company to release security fixes for a bloody _WEB BROWSER_ that require you to upgrade the entire operating system.
<a o ft .com</td></tr></table></a>
href="http://www.google.com/">http://www.micros
displaying http://www.microsoft.com in the browser, but sending the user to Google.
Is it the <table> that does it or the nested <a> tags?
If you must moderate, please moderate as irrelevent, not something bad, because I'm sure someone will find this interest
IE's ability to parse anything meant it survived the problems which caused both Opera and Firefox to crash has also made this nastiness possible...
There's mischief and malarkies but no queers or yids or darkies within this bastard's carnival, this vicious cabaret.
Because like it or not, SP2 has not been installed by many XP users.
Not to mention the fact that this bug most likely affects MSHTML as a whole, which means that it may appear in all IE versions before SP2 as well. Being able to spoof links like this in all major versions of IE before SP2 is highly dangerous IMO.
SCREW THE ADS! http://adblock.mozdev.org/ Proud user of teh Fox of Fire - Registered Linux User #289618
Though another poster claims Safari isn't affected by this, I was able to replicate the vuln in Safari 1.2.3 (v125.9). So it appears that the other posters are incorrect. Firefox is unaffected, Internet Explorer show 'http://www.microsoft.com' when the cursor has changed to the link finger but shows 'http://www.google.com' when the cursor is over the link text. Opera for Mac displays the same oddities as IE. OmniWeb for Mac also does this, however, the space in which is displays the spoofed address is only about a pixel wide. Strangely, lynx didn't seem to have much to say :)
"previous versions of mozzila (whitch I use) have bugs too, and security flaws. report them too!"
But, unlike IE, upgrading Mozzilla to fix the bugs doesn't require you to _UPGRADE YOUR ENTIRE OPERATING SYSTEM_. You see, Mozilla is written by sane people, who don't think it's a sensible idea to wire a web browser deep into the operating system.
Is something like this discovered by accident, or is some poor person sitting at a desk coding weird html all day to see what happens?
I think we are looking at this from the wrong perspective. This is not another flaw in Internet Explorer. The flaw in IE is the design from the ground up. This is just another in the long list of completely related flaws in the browser. They need to just give up on patching and rewrite the damn thing, and use Gecko as the engine ;)
Pre SP2...so if a user fails to update, it is MS's fault...so all those linux errata pages concerning root vulnerabilities, ssh, KDE, Gnome, are OK???
...
Grow up Slashdot editors!!!!
1) STOP THE FUD!
2) Try placing the same blame on exploits to linux for each flaw it has.
3) Show me that the majority of the linux users can rewrite their source code, before using the opensource argument (we all know they can't, and recfging the kernal, or compiling it again is not the same as rewriting it to fix the freaking flaw!)
4) Stop acting like politicians, spouting bullshit bashing instead of actualy saying something useful, or constructive.
5) Go whine in the corner again about the evil FOR PROFIT corp (MS). Then ask yourselves, if all the code was free, who the fuck would want to work in IT, since they couldn't make a living writing the code, setting up the networks, because it was all free...(this isn't the 23rd century StarTrek universe, people actualy have to PAY for the basic needs...). We won't even get into the mess the massive proprieteary code written for free, would cause in compatibility
According to the article, Safari is affected. The Safari on my system (1.2.3 (v125.9)) is not, and that's up to date.
Did anybody see the interesting example Netcraft gave for their webserver search?
http://www.w3.org/TR/html401/struct/links.html#ede f-A
...
According to the HTML4 ref @ w3, putting a table inside of an anchor-tag is illegal. Only inline tags may reside there, and a table is a block-level tag.
Since ths means the browser's behavior is undefined, I hope they come up w/ a better fix
Why aren't you encrypting your e-mail?
If I can trick you into visiting download.trojan.here.com because you think you are going to www.microsoft.com, that's all I need.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Tinyurl has lots of good examples of how the astute user can still be burnt. If the status bar shows "microsoft.com/whatever/whenever" but the actual site has the usual garbage, the user will not be clued in. Indeed, the user may not even be able to see the root of the site through the three thousand character url which so many legitimate sites generate.
Your example is trivial and misses the potential of the exploit:
You might as well say that links themselves are a security risk, since a link that says "Microsoft Web Site" but really goes to goatse.cx is a dangerous spoof.
How about a link that says "citibank.com" in an email and on your status bar that tells the recipient that they should log in to check for suspicious activity? The user goes to the bogus site, which may have valid certs and make the little lock appear and looks just like the citbank site. The user then gives the sender their citibank name and password without thinking twice about the random character url they are confronted with because it's what they are used to seeing. The sender then cleans out the user's account.
A status bar that works is an important part of preventing that kind of fraud.
Friends don't help friends install M$ junk.
That, and financial sites that are supposed to be secure, but will only work with IE. The reason? JavaScript bugs that are easily fixed, but not high on their priorities.
All I want is a kind word, a warm bed and unlimited power.
What if this affected the domain Slashdot displays after every link? Lets find out: .com
http://www.microsoft
Apparently not, but strange nonetheless.
shdoclc.dll is the mshtml rendering engine.
Benefits of having the rendering engine be a part of the OS:
Any application can hook into the rendering engine and use it for HTML rendering. LOTS of applications embed the shdoclc control into their main panels and use it for navigation, etc. It's trivial to do this, and it means it's a lot less work for people to do.
Downsides:
Any vaunerabilities that are discovered in the engine, will effect all the apps that call it.
Internet Explorer is a "front" for the engine. So is MyIE2 (with some other features thrown in there.)
Integration isn't as bad as you think it is.
It's news because it's a bug in software that most people use but will probably remain unfixed for anyone running Windows earlier than XP SP2. And I'm sure it helps that this is software that is not particularly popular with this crowd. ;)
I can second that, our whole miltary here in Cherry Point, NC uses IE ....except for me who installed firefox, just recentally after having to reload a computer from spy/malware i just started showing them firefox, alot of them after have come up to me go I love firefox where can i get it for my home machine?
Loading Please Wait....
The latest version of IE6 on win2k is not affected. Updates for win2k are still being produced, whats your problem?
Only the State obtains its revenue by coercion. - Murray Rothbard
Yep. I am a big firefox evangelist for windows, but SP2 is the Firefox killer in many ways.
That said, there are lots of 98 and 2K installations. There are lots of XP people sick of spyware or are curious about tabs, handy extensions, etc. Or at just worried about security. Computers arent these things in our living room anymore, they are our central digital hub. They have our work, photos, taxes, etc on them. Using IE is like driving drunk. Lots of XP users are slowly coming to realize this.
The really great part about this is that microsoft's incompetence will help the responsbile online community promote real HTML standards. No more "you need this to view that" nonsense. With pages working on mutliple browsers we can edge into better mobile browsers, lower cost to entry, break the digital divide, promote other OS's, etc and show Microsoft that from now on there will be a front to fights its Embrace, Extend, and Extinguish business plan.
>> Or do we have to all buy XP and apply SP2 for us to brwose safely?
Just download Browse Safe 1.0
"Lisa, I want to buy your rock." -Homer Simpson
It's news because firms are still on hardware and/or software certified to work with a legacy app, and home users with small budgets run outdated hardware and/or software because they can't afford an upgrade. Because Microsoft has begun the end-of-life process for Microsoft Internet Explorer on versions of the Microsoft Windows operating system prior to Microsoft Windows XP, this bug may prove unfixable in all versions of IE that are designed to work on Microsoft Windows 98SE, Microsoft Windows ME, Microsoft Windows NT 4.x, and Microsoft Windows 2000 operating systems.
Redhat 5.2 and Irix 6.5.11 are vulnerable to remote root exploits.
Red Hat Linux 5.x and Irix 6.x don't have near the market share of Windows 98, Windows ME, and Windows 2000, none of which can run IE SP2.
You can't blame microsoft for people not upgrading.
Yes, I can blame Microsoft for charging more than many home users can afford for Windows XP, a pre-requisite for the SP2 upgrade, and the RAM required to upgrade a Windows 98SE-spec machine to Windows XP.
Ironically, this exploit doesn't work on my old work mac using os 8.6, and Internet Explorer 5.0. I guess sometimes simplicity is the easiest security?
REMEMBER! I was drunk when I posted this...
I put a test page up. There are two spoof tests on the page. The latest version of Firefox is not affected by either of them if you left click the link. However, if you middle click the first spoof test, Firefox takes you to the wrong site.
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
Looking at these numbers, migration to alternative browsers may have peaked before the release of SP2.
This type of bug is very minor. I never trust what the status bar says on mouse-over of a link. With a little bit of javascript, it's easy to have it say whatever you want. Many sites already employ this. All it does is annoy me.
The bottom line is, once you land on the site, what does it say in the address bar and the status bar then?
One other thing, be careful of misleading domains that replace "1" with an "l" or vice versa.
eTrade SUCKS
The a href for userinfo's have .exe's in them and if you click the link on IE the second a href tag will open the executable.
http://saveie6.com/
I'm using a slower computer (Pentium 200 MHz), and when I hover the link, "http://www.google.com/" appears on the status bar for a split-second, before being replaced with "http://www.microsoft.com/". It appears that IE is tracing down the document structure tree and setting the status bar twice.
He's talking about the machines you're using for development, not testing. Needing to reformat a test machine is no biggie.
Speaking of tricking others, someone can very well use this spoofing bug in conjunction with the Gmail cookie problem.
>Actually, more bugs are being found in Firefox
> than in IE right now. BUT, the firefox source
> is available, so people can look through it for
> bugs,
Whoops. You've just shot down the whole OSS theory. FireFox should never have more bugs being found than IE, BECAUSE people have spent so many hours looking at it (which, even though it's been publically available for months, even years, nobody has). The REALITY is that open-source or not, it's still prone to the same old bugs, and the software life cycle continues as normal. How do you guarantee that anyone looks at it? Just because you can doesn't imply that you do.
because:
a) windows 2000 is still supported (upgrades are available), yet microsoft will say XPSP2 is the patch for windows 2000 (its like saying the linux 2.4 series kernel is outdated software)
b) not everybody can migrate to SP2 because their software isn't compatible - to those people linux would be just as suitable to them to fix the problem, compared with SP2
Define people not upgrading. We played with this at work about a day ago... my PC (WinXP, SP2, patched to date) was fine with IE, although Firefox got very confused. Opera was quite happy, and ignored the problem. The guy who bought this up was having issues. He was running Win2K, SP4, patched to date. Spot the difference.
He's quite happy running Win2K (and I'd rather do that, but don't have the option). He's up to date, as far as he can be without reinstalling his PC, and he appears to be at risk. There should not be an implied "you should upgrade to the latest OS because you are running an out-of-date one" with this. It's a problem with the browser, not a gaping hole in the OS.
The primary issue in pre-XPSP2 IE is that when you click on the link, the URL bar says http://microsoft.com while the site is really http://google.com. Changing the status bar's text has not been seen as a major security issue historically, and Mozilla/Firefox lets you prevent web sites from changing the status bar.
In any case, the URL bar should be authoritative for where you are, which is the issue in pre-XPSP2 IE.
Oh, shoot! I retract that.
I re-read the article and saw that it's a status bar issue after all.
I don't trust the status bar, and I don't see how this is really a big security issue. Besides, phishers are already using e-mail messages with embedded images that have http://citibank.com in the image but link to http://10.83.94.2:893, for instance.
So, I wouldn't hold my breath on Microsoft fixing this issue as larger issues out there already exist. But, I do agree that any security issue should be resolved, regardless of how minor.
Come to think of it, phishers can possibly use the image trick combined with this vulnerability to make the status bar say http://citibank.com, where this vulnerability can become quite serious.
Perhaps we should encourage users to check the URL bar of sites that they are in?
Because I've installed SP2 twice on my Windows XP box, and it stuffed it up both times. I had to Ghost my backed-up partition back again to fix it. (And I've had way too much XPerience with Microsoft service packs NOT to Ghost the partition first...)
With SP2 installed I get a blue screen at bootup with a string of meaningless error messages (your computer has crashed, basically) and an error 000000E7, which could be bad memory (unlikely, I run Linux on the same beast, an Athlon64 3400+), or it could be excessive bandwidth on USB devices (!) or apparently it could also be a bad driver.
Whatever it is, I can't install SP2 so I can't patch IE. Just as well I've been using Firefox since it was Phoenix 0.6.
Oh yeah, and I paid my thirty bucks to Spread Firefox. It's a seriously good browser.
Hal Spacejock: Science Fiction with Nuts
Who the hell modded that up?
Assume I was drunk when I posted this.
didn't know anybody was still using ie...
All the torrents you could want.
This is really a non-story. There are 50 different ways to spoof this, mostly javascript I'll admit, but you could also open multiple links from a url on the page, and inconvenience and confuse even the most experienced user so much that their only option would be to shut the whole thing down.
Use something like Maxthon as a wrapper for IE and you'll all be much safer. Notice the comparative, you cannot be absolutely safe.
I just got the exploit to work on 10.3.5 and Safari 1.2.5
I have no access to Konquerer, is this a KHTML engine problem, or a Safari-only one?
Rule of the open mind
People who are resistant to change cannot resist change for the worst.
It's only a bug in outdated software if you consider Firefox RC1 to have been outdated by its predecessor!
I'll get my asbestos suit.
"What we imagine is order is merely the prevailing form of chaos"
*blink*
Now, here in Australia at least:
Malware + Military Bases = Bad News
Don't you think?
"What we imagine is order is merely the prevailing form of chaos"