New Spoofing Vulnerability in IE

Jimmy M. writes "A new vulnerability has been announced in Internet Explorer, also affecting XP SP2, which can very easily be exploited by a malicious web site to completely spoof the address bar. The vulnerability is very similar to another vulnerability disclosed just about a year ago called the '%00' vulnerability, which also was widely exploited by phishers. A demonstration is also available."

Vulnerability Confirmed on Avant Browser

[Eyah....TIMMY]

Using the latest version of Avant Browser, on a fully patched XP SP2 system. It seems obvious since Avant is based on IE but I thought it would be useful to know.

Re:Vulnerability Confirmed on Avant Browser

[zarniwoop102939]

As suggested in the article, you can block the vulnerability in Avant by disabling ActiveX (Tools | Disable ActiveX). This is how I browse with Avant by default, along with:

- Block Flash
- Block Popups
- Block Ads
- Disable Sounds
- Disable Videos
- Disable Java Applets

Makes pages load very fast, and if I need one of those functions for the page I'm on, I just toggle it on for the session.

Between these security features and still having the compatibility of IE, that's why I love Avant so much. Yes I used Firefox for 2 weeks, and went back to Avant.

Re:Surprisingly, a patch is already out

[YOU+LIKEWISE+FAIL+IT]

If it's the IAS proxy that requires NTML authentication, you can always pipe requests through this python rewriting proxy.

YLFI

Re:Surprisingly, a patch is already out

[Trepalium]

NTLM authentication works fine in recent versions of Mozilla/Firefox/Gecko, even on non-Windows platforms. Plug in the proxy server settings, and go. Firefox will ask for your proxy authentication on the first page request, and remember it until you close the browser.

misunderstood vulnerability

[metalpet]

This doesn't have much in common with the %00 bug, which was essentially a visual bug, vaguely useful to convince that small percentage of people that verifies the URL of the site they're in instead of going by the look&feel of the page.

This bug however allows to break cross-domain scripting boundaries.
A practical example is that an attacker could craft a web page so that when a slashdotter visits it, it automatically submits a silly comment in reply to a particular post (yes, in spite of the hidden formkey field.)
Worse things could be done, like automatically grabbing the last 10 emails from your hotmail account if you happened to be logged in, send random replies to them, etc...
Use your imagination.

Describing this as a way to "completely spoof the address bar" misses the impact of this bug entirely.

All in all, a pretty cool exploit. I can't help but wonder if the double use of ExecScript and setTimeout is really necessary, but maybe that's an attempt to make it work accross more environments.

Re:Surprisingly, a patch is already out

[AstroDrabb]

Firefox doesn't even have to prompt you for NTLM if you are logged into a windows domain. However, for security, Firefox only sends NTLM to servers you give the OK to.

In the URL bar type about:config and then filter for "ntlm". In the network.automatic-ntlm-auth.trusted-uris just put a comma separated list of servers you want Firefox to send your NTLM to. For example, double click network.automatic-ntlm-auth.trusted-uris and put in foo.com,bar.com,slashdot.org

The only thing I wish Firefox did was to allow a wild card domain name like *.mycompany.com. My network.automatic-ntlm-auth.trusted-uris entry has gotten pretty long at work : (