Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Spoofing Vulnerability in IE

Posted by CowboyNeal on from the url-b-gone dept.

Jimmy M. writes "A new vulnerability has been announced in Internet Explorer, also affecting XP SP2, which can very easily be exploited by a malicious web site to completely spoof the address bar. The vulnerability is very similar to another vulnerability disclosed just about a year ago called the '%00' vulnerability, which also was widely exploited by phishers. A demonstration is also available."

23 of 372 comments (clear)

  1. Vulnerability Confirmed on Avant Browser by Eyah....TIMMY · · Score: 5, Informative

    Using the latest version of Avant Browser, on a fully patched XP SP2 system. It seems obvious since Avant is based on IE but I thought it would be useful to know.

    --

    It is not enough to have a good mind. The main thing is to use it well. - Rene Descartes (1637)
    1. Re:Vulnerability Confirmed on Avant Browser by zarniwoop102939 · · Score: 5, Informative

      As suggested in the article, you can block the vulnerability in Avant by disabling ActiveX (Tools | Disable ActiveX). This is how I browse with Avant by default, along with:

      - Block Flash
      - Block Popups
      - Block Ads
      - Disable Sounds
      - Disable Videos
      - Disable Java Applets

      Makes pages load very fast, and if I need one of those functions for the page I'm on, I just toggle it on for the session.

      Between these security features and still having the compatibility of IE, that's why I love Avant so much. Yes I used Firefox for 2 weeks, and went back to Avant.

  2. Safari by sys49152 · · Score: 2, Informative

    Just tried it with Safari. Clicking the demo link does absolutely nothing. Turning off pop-up blocking and clicking the link does ... absolutely nothing.

    Next.

    1. Re:Safari by KingOfTheNerds · · Score: 3, Informative

      Tried it all in Konqurer, and no problems at all. I hate hackers but maybe these problems will finally start driving people towards alternative browsers. My website currently gets 85% windows users and only 65% IE users. So that's a good start away from IE.

      --
      Want to learn about anything sexual? Check out the sex wiki:
  3. infinite popups by yali · · Score: 3, Informative
    On my computer, the exploit demo seemed to be trying to launch popups, which Google toolbar stopped, which apparently made the demo site want to throw up another popup, which Google toolbar stopped, etc. It looped up to 110 popup attempts before I managed to shut down that IE window.

    Not the advertised exploit, but pretty damn annoying in its own right.

  4. Spoofstick and Qwik-Fix don't detect/block this by CFrankBernard · · Score: 2, Informative

    I have the latest version of Spoofstick (1.02 released 8/18/2004) and PivX Qwik-Fix Pro (v1.4) and the vulnerability tests positive in my up-to-date IE: a new window appears with both IE and Spoofstick reporting the site as citibank.com

    1. Re:Spoofstick and Qwik-Fix don't detect/block this by Suddenly_Dead · · Score: 2, Informative

      Spoofstick simply removes any tricky usernames/passwords or subdomains that would trick some users. So, ebay.phishing.com is shown as phishing.com, and ebay.ca/login.php@newb.com is shown as newb.com. Spoofstick can not handle an exploit like this since the address bar would actually show citibank.com, without anything extra.

  5. IE for the mac is safe by Anonymous Coward · · Score: 3, Informative

    With Internet Explorer for the Mac hovering above the link makes the status bar say "javascript:start();", but clicking on it does absolutely nothing. Exact same result with Safari.

  6. Sound familiar? by Richard+Allen · · Score: 2, Informative

    http://it.slashdot.org/article.pl?sid=04/10/30/155 5251&tid=113&tid=128&tid=172&tid=1

  7. Re:Surprisingly, a patch is already out by YOU+LIKEWISE+FAIL+IT · · Score: 4, Informative

    If it's the IAS proxy that requires NTML authentication, you can always pipe requests through this python rewriting proxy.

    YLFI
    --
    One god, one market, one truth, one consumer.
  8. Re:javascript by Anonymous Coward · · Score: 1, Informative

    just as easy they could have done
    window.status="http://www.citibank.com"; and then yo u wouldn't see the javascript.

  9. Re:How long until... by fireduck · · Score: 2, Informative

    it's already happened. see the firefox page.

  10. Re:Surprisingly, a patch is already out by Trepalium · · Score: 4, Informative

    NTLM authentication works fine in recent versions of Mozilla/Firefox/Gecko, even on non-Windows platforms. Plug in the proxy server settings, and go. Firefox will ask for your proxy authentication on the first page request, and remember it until you close the browser.

    --
    I used up all my sick days, so I'm calling in dead.
  11. Re:How long until... by LiquidCoooled · · Score: 3, Informative

    The difference between Open Source and MS is that inside MS, coders who are technically employed to work on a specific part of the MS empire cannot easily supply fixes and code for inclusion inside IE. That is down to the IE team to fix. Its just the same at work, we are told to remain focused on our own tasks, no matter if colleagues on other projects are floundering.

    Once exploits start coming out for Firefox (as most reasonable people expect them to) those many eyes from around the OSS community (some MS employees included no doubt) can look upon the code and work together to cure problems. In some cases, this will mean pre-emptive fixes to bugs as they are noticed rather than waiting for major exploits.

    The team is dynamic, and expands to cover itself.
    Firefox has rapidly become the poster boy project for open source, and as such, I don't think any of us would like to see it fail.

    --
    liqbase :: faster than paper
  12. misunderstood vulnerability by metalpet · · Score: 4, Informative

    This doesn't have much in common with the %00 bug, which was essentially a visual bug, vaguely useful to convince that small percentage of people that verifies the URL of the site they're in instead of going by the look&feel of the page.

    This bug however allows to break cross-domain scripting boundaries.
    A practical example is that an attacker could craft a web page so that when a slashdotter visits it, it automatically submits a silly comment in reply to a particular post (yes, in spite of the hidden formkey field.)
    Worse things could be done, like automatically grabbing the last 10 emails from your hotmail account if you happened to be logged in, send random replies to them, etc...
    Use your imagination.

    Describing this as a way to "completely spoof the address bar" misses the impact of this bug entirely.

    All in all, a pretty cool exploit. I can't help but wonder if the double use of ExecScript and setTimeout is really necessary, but maybe that's an attempt to make it work accross more environments.

  13. Re:Speaking of Firefox... by Anonymous Coward · · Score: 1, Informative

    It's already been fixed.

  14. Re:No way! by nolife · · Score: 2, Informative

    I complained to American Express. I did not even get a reply.

    The main page login dialog here does not work with FF. If you select the "Benefits" link on that page, then select "Manage Your Account", that login screen will work with FF. Odd, they get you to the same place but they have two front ends for it. Everything else works with FF from that point on. Sloppy on their part.

    --
    Bad boys rape our young girls but Violet gives willingly.
  15. Re:Yet another reason... by gnarled · · Score: 2, Informative

    If you are really curious Sam Spade has a link deobfuscator feature.

    BTW the site seems to not be working right now, but that should be temporary.

    --
    I'm a firm believer in the philosophy of a ruling class. Especially since I rule. -Randal, Clerks
  16. Re:Surprisingly, a patch is already out by Anonymous Coward · · Score: 1, Informative

    Which was first: Mozaic/Netscape/Mozilla, or Internet Explorer?

    Since Internet Explorer is based on the original NCSA Mosaic browser, which was developed before "Mozaic/Netscape/Mozilla," I'm going to have to go with IE on this one.

  17. Re:Which version of Firefox isn't? by recursiv · · Score: 2, Informative
    I'm assuming this is a troll, but for the sake of pedantry, I have to ask: What are the features that IE has that Firefox doesn't have?

    I'm thinking hard here, and the only things I am coming up with are OS shell integration and activeX, which are dubious at best.

    It has surpassed IE in the following categories:
    • tabbed browsing
    • interface (things like find in page, etc)
    • extensions
    • developer tools (DOM inspector, javascript console, etc)
    • susceptibility to exploits
    • options provide greater control (popup blocker, finer grain javascript permissions, etc)
    • [X]HTML compliance


    And if you don't like it, you have the ability to uninstall it!
    --
    I used to bulls-eye womp-rats in my pants
  18. Re:Surprisingly, a patch is already out by AstroDrabb · · Score: 4, Informative
    Firefox doesn't even have to prompt you for NTLM if you are logged into a windows domain. However, for security, Firefox only sends NTLM to servers you give the OK to.

    In the URL bar type about:config and then filter for "ntlm". In the network.automatic-ntlm-auth.trusted-uris just put a comma separated list of servers you want Firefox to send your NTLM to. For example, double click network.automatic-ntlm-auth.trusted-uris and put in foo.com,bar.com,slashdot.org

    The only thing I wish Firefox did was to allow a wild card domain name like *.mycompany.com. My network.automatic-ntlm-auth.trusted-uris entry has gotten pretty long at work : (

    --
    If Tyranny and Oppression come to this land,
    it will be in the guise of fighting a foreign enemy. -James Madison
  19. Re:Dupe by the+pickle · · Score: 2, Informative

    No, not a dupe.

    The vulnerability discussed in the article you linked is here:

    http://secunia.com/advisories/13251/

    which, as you can plainly see, is #13251. Secunia calls it the "window injection vulnerability."

    The vulnerability discussed in THIS article is

    http://secunia.com/advisories/13482/

    Quite obviously number 13482. Secunia calls this one the "cross-site scripting vulnerability."

    So no, they're not the same thing at all, and you're karma-whoring with falsely "informative" posts.

    p

    --
    In Korea, long hair is for old people!
  20. Re:NEVER mention competitor?? by allism · · Score: 2, Informative

    A) IE is very recognized. I don't think there is anyone that uses the internet that doesn't know what it is.

    Laura Ingraham recently changed her website. The day she changed it, she had people calling in telling her whether they were being directed to her old site or her new site, and was asking what browser and ISP they were using. You would be amazed (or maybe you wouldn't) at how many people just responded with something like 'my internet' or 'AOL' for their browser. Her little sidekick dude kept telling people, "If there's a blue E, it's Internet Explorer." Even after he had said that probably half a dozen times on the air, there were still people calling in who had no idea what browser they were using - they were just using the one that came with the computer.

    (OK, let the jokes begin about the kind of people who listen to conservative talk radio)

    Someone mentioned in one of the earlier Firefox discussions to approach switching someone by saying something to the effect of "Have you upgraded your browser yet?" (Which, by the way, still hasn't made a difference to my parents or my in-laws)

    --
    Denver Isuzu Suzuki