New Spoofing Vulnerability in IE

Jimmy M. writes "A new vulnerability has been announced in Internet Explorer, also affecting XP SP2, which can very easily be exploited by a malicious web site to completely spoof the address bar. The vulnerability is very similar to another vulnerability disclosed just about a year ago called the '%00' vulnerability, which also was widely exploited by phishers. A demonstration is also available."

Vulnerability Confirmed on Avant Browser

[Eyah....TIMMY]

Using the latest version of Avant Browser, on a fully patched XP SP2 system. It seems obvious since Avant is based on IE but I thought it would be useful to know.

Re:Vulnerability Confirmed on Avant Browser

[zarniwoop102939]

As suggested in the article, you can block the vulnerability in Avant by disabling ActiveX (Tools | Disable ActiveX). This is how I browse with Avant by default, along with:

- Block Flash
- Block Popups
- Block Ads
- Disable Sounds
- Disable Videos
- Disable Java Applets

Makes pages load very fast, and if I need one of those functions for the page I'm on, I just toggle it on for the session.

Between these security features and still having the compatibility of IE, that's why I love Avant so much. Yes I used Firefox for 2 weeks, and went back to Avant.

infinite popups

[yali]

On my computer, the exploit demo seemed to be trying to launch popups, which Google toolbar stopped, which apparently made the demo site want to throw up another popup, which Google toolbar stopped, etc. It looped up to 110 popup attempts before I managed to shut down that IE window.

Not the advertised exploit, but pretty damn annoying in its own right.

Re:Safari

[KingOfTheNerds]

Tried it all in Konqurer, and no problems at all. I hate hackers but maybe these problems will finally start driving people towards alternative browsers. My website currently gets 85% windows users and only 65% IE users. So that's a good start away from IE.

IE for the mac is safe

With Internet Explorer for the Mac hovering above the link makes the status bar say "javascript:start();", but clicking on it does absolutely nothing. Exact same result with Safari.

Re:Surprisingly, a patch is already out

[YOU+LIKEWISE+FAIL+IT]

If it's the IAS proxy that requires NTML authentication, you can always pipe requests through this python rewriting proxy.

YLFI

Re:Surprisingly, a patch is already out

[Trepalium]

NTLM authentication works fine in recent versions of Mozilla/Firefox/Gecko, even on non-Windows platforms. Plug in the proxy server settings, and go. Firefox will ask for your proxy authentication on the first page request, and remember it until you close the browser.

Re:How long until...

[LiquidCoooled]

The difference between Open Source and MS is that inside MS, coders who are technically employed to work on a specific part of the MS empire cannot easily supply fixes and code for inclusion inside IE. That is down to the IE team to fix. Its just the same at work, we are told to remain focused on our own tasks, no matter if colleagues on other projects are floundering.

Once exploits start coming out for Firefox (as most reasonable people expect them to) those many eyes from around the OSS community (some MS employees included no doubt) can look upon the code and work together to cure problems. In some cases, this will mean pre-emptive fixes to bugs as they are noticed rather than waiting for major exploits.

The team is dynamic, and expands to cover itself.
Firefox has rapidly become the poster boy project for open source, and as such, I don't think any of us would like to see it fail.

misunderstood vulnerability

[metalpet]

This doesn't have much in common with the %00 bug, which was essentially a visual bug, vaguely useful to convince that small percentage of people that verifies the URL of the site they're in instead of going by the look&feel of the page.

This bug however allows to break cross-domain scripting boundaries.
A practical example is that an attacker could craft a web page so that when a slashdotter visits it, it automatically submits a silly comment in reply to a particular post (yes, in spite of the hidden formkey field.)
Worse things could be done, like automatically grabbing the last 10 emails from your hotmail account if you happened to be logged in, send random replies to them, etc...
Use your imagination.

Describing this as a way to "completely spoof the address bar" misses the impact of this bug entirely.

All in all, a pretty cool exploit. I can't help but wonder if the double use of ExecScript and setTimeout is really necessary, but maybe that's an attempt to make it work accross more environments.

Re:Surprisingly, a patch is already out

[AstroDrabb]

Firefox doesn't even have to prompt you for NTLM if you are logged into a windows domain. However, for security, Firefox only sends NTLM to servers you give the OK to.

In the URL bar type about:config and then filter for "ntlm". In the network.automatic-ntlm-auth.trusted-uris just put a comma separated list of servers you want Firefox to send your NTLM to. For example, double click network.automatic-ntlm-auth.trusted-uris and put in foo.com,bar.com,slashdot.org

The only thing I wish Firefox did was to allow a wild card domain name like *.mycompany.com. My network.automatic-ntlm-auth.trusted-uris entry has gotten pretty long at work : (