Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Spoofing Vulnerability in IE

Posted by CowboyNeal on from the url-b-gone dept.

Jimmy M. writes "A new vulnerability has been announced in Internet Explorer, also affecting XP SP2, which can very easily be exploited by a malicious web site to completely spoof the address bar. The vulnerability is very similar to another vulnerability disclosed just about a year ago called the '%00' vulnerability, which also was widely exploited by phishers. A demonstration is also available."

30 of 372 comments (clear)

  1. Re:Microsoft is so sweet by mOoZik · · Score: 2, Insightful

    Yes, and outside of nerdville, who gives a shit about Firefox? What OSS has to do is release ads to TELL people how bad IE is, not how good Mozilla is alongside. SCARE people into realizing that their entire way of life is AT RISK if they continue to use IE.

    --
    A blog like any other.
  2. How long until... by dew4au · · Score: 5, Insightful

    ...people start banging on Firefox hard enough to expose vulnerabilities?

    Or, is Mozilla just that good at plugging leaks before they happen?

    1. Re:How long until... by lewiz · · Score: 4, Insightful

      Somehow the poster of the parent has been modded down for Trolling, regardless of the fact that it is a valid point, within the context of the article, and definitely not a troll.

      I frequently wonder what will happen as people start to shift more focus onto the software we so highly regard. Hands down Firefox is a more usable browser but I don't think it yet has the sort of attention that Internet Explorer does. Until such a time we will never truly know just how resilient Firefox is.

    2. Re:How long until... by EngMedic · · Score: 2, Insightful

      This has been knocked around here for quite a while, and every time, somebody points out what i'm about to.

      It's probably safe to say that firefox is simply a better written browser, but another aspect of the issue is the question of system incorporation. Bugs on IE are critical because not only can they do the normal spoof/phish/etc, they can also worm their way into the guts of windows. Bugs on Firefox can't, simply because firefox isn't integrated as tightly into the operating system as a whole -- and when we're talking about web browsers, that's a Good Thing.

      --
      filter: +3. Hey, look! all the trolls went away!
    3. Re:How long until... by EngMedic · · Score: 2, Insightful

      No piece of software is bulletproof, and Firefox is no exception, certainly. It's lack of ActiveX support and relative independance from the kernel are two powerful advantages it has over IE, however, in the realms of security. Spoofs can still happen, last week's "this affects all browsers" vulnerability being a notable one, but in my experience, they tend to be fewer, less critical, and patched faster.

      --
      filter: +3. Hey, look! all the trolls went away!
    4. Re:How long until... by roca · · Score: 2, Insightful

      They are banging away. There is a bug bounty program, remember. And since everyone says Firefox is a more secure browser, isn't it cooler to take down FF than IE?

    5. Re:How long until... by Anonymous Coward · · Score: 1, Insightful

      ...this may seem obvious to people with no technical understanding of software, but as a professional developer, I've got to ask. How exactly does IE allow people to worm their way into the "guts of windows" as you suggest? Frankly, any browser that supports 3rd party binary extensibility (Plug-in's, Active X, Java, whatever) on and OS that allows users to run as Administrator by default are prone to exactly the same attacks. Firefox is not miraculously unintegrated and consequently more secure. Stop saying this, you are giving people a very false sense of security. As to Firefox being a "better written browser", this is also clearly not true given the fact that malformed HTML, so common on the Web today, actually tends to CRASH Firefox while IE happily renders it as best it can and moves on. I realize Microsoft has taken a very long to update IE, but come on. Firefox has years of work to do to get where IE 3 was in terms of stability, reliability and consistency. We have no yardstick what so ever to evaluate Firefox on Security as 99.99% of all white, black and grey hat hacker are focused soley on IE. Consider that when bugs in Firefox are actually found, it's by us, the user community, and because of that they are the most blatent and obvious bugs you can imagine. Get a grip. Firefox is an interesting browser. But it's got a long way to go before its mature enough to support real world scenarios. Anyone who says otherwise is just not being honest with themselves and their audience.

      By the way, yes, I use Firefox for most of my browsing. But I'm not fooling myself into thinking I'm any more secure than IE technically. I'm still extremely cautious about where I go and what I do (probably more so than I am when browsing with IE in XPSP2 which is probably, on a technical level, the most safe and secure browser out there). I do it just for a change of scenery and little UI tweaks like tabs.

      Be cautious about hype, especially with no technical facts to back it up. Use Firefox if you want, but do so with your eyes open. Just a thought.

  3. Re:Microsoft is so sweet by Anonymous Coward · · Score: 5, Insightful

    What OSS has to do is release ads to TELL people how bad IE is

    never mention your competitor in advertising
    no such thing as bad publicity, people tend to forget the details but "brand reinforcement" still applies, if you have to mention your competitor then it implies your product wont/cant stand up on its own merits = you have LOST

    just an anon advertising exec

  4. Re:Microsoft is so sweet by Fortran+IV · · Score: 2, Insightful

    SCARE people into realizing that their entire way of life is AT RISK if they continue to use IE. [Emphasis mine.]

    Get a grip. The internet is only the entire way of life for slashdotters and other nerds. "Outside of nerdville," most people will continue to be quite able to play softball, mow the lawn, and tell stories to their kids even without IE. Even I shall survive. Even thou mightest.

    --
    I figure by 2030 or so my 6-digit UID will be something to brag about.
  5. Re:Yet another reason... by danamania · · Score: 4, Insightful

    Not only the existence of the bug, but Microsoft's attitude towards the last one like this.

    From Microsoft Help & Support. "The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself. By manually typing the URL in the address bar, you can verify the information that Internet Explorer uses to access the destination Web site. To do so, type the URL in the Address bar, and then press ENTER."

    Just defeat the purpose of hyperlinks. Thanks MS!

  6. Re:Microsoft is so sweet by rainman_bc · · Score: 2, Insightful

    Actually, us nerds are moving everyone we know to Firefox, except for the few weirdos who like Avant and Opera ;)

    --
    09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
  7. Disable ActiveX by OverlordQ · · Score: 5, Insightful

    Disable ActiveX and this wont work. This exploit depends on ActiveX to run.

    --
    Your hair look like poop, Bob! - Wanker.
    1. Re:Disable ActiveX by fm6 · · Score: 2, Insightful

      If you're going to cripple Internet Explorer that way, why use it at all?

  8. Master Plan by BossMC · · Score: 2, Insightful

    I see what's going on here. Microsoft put so many exploits into IE that eventually the black hats will be overwhelmed with possibilities, to the point of quitting. It's like the vulnerability-options DDoS.

  9. NYT Ad by Adrilla · · Score: 3, Insightful

    In the NYT ad, they should've added every IE bug that's been discovered since Firefox was released. I mean they are probably the biggest contributors to FF's popularity.

    --

    "Plans are for fools! Oglethorpe, the plutonian (Aqua Teen Hunger Force)
  10. Maturity by confusion · · Score: 3, Insightful
    I realize IE is probably a huge codebase and a big development team, but it is simply amazing that these problems keep popping up. A company with the size and resources of MS should have a much better handle on these things.

    Where I work, we have code reviews, automated code scrubbers, and extensize QA, and we're a relatively small shop compared to them.

    I know they're trying, otherwise it would be a lot worse, and SP2 did a good bit to improve things, so I can't be that hard on them.

    Jerry
    http://www.syslog.org/

  11. Re:No way! by hazem · · Score: 3, Insightful

    Customers and potential customers should complain to those banks and bill-pay services about these security problems.

    I won't use a bank or financial service that requires IE.

  12. Re:Microsoft is so sweet by HardwareLust · · Score: 1, Insightful

    They thank you profusely, until you leave and they come upon a site that doesn't work with FireFox. It's probably their bank or something important. Then, they curse your name profusely, proceed to download and install IE, and are back the way they were before they met you in 10 minutes.

    Firefox ain't quite ready for non-geeks just yet.

    --
    ...not that I'm a pirate.. Hell I've never even fired a cannon. - oldwolf13
  13. And now to the best house of cards on the planet by PeterHammer · · Score: 2, Insightful

    Maybe it's just me, but I would love to see what IE's source code must look like at this point with all the patching it has gone through over the years.

    Even more amazing perhaps are the facts that:

    • 90% of the planet still uses it
    • It is still the only way to get critical updates for about 50% of windows users out there
    • Other than (duh!) security bugs, it pretty much still works without a hitch

    Most certainly the best built house of cards on the planet!

  14. Re:Microsoft is so sweet by Michalson · · Score: 4, Insightful

    Comparing your product to a specific competitor in a commercial suggests to the viewer that you are either neck and neck or more frequently that you're in the #2 position. If you are the actual market leader, or you want to be the leader, you *don't* want to send that kind of message.
    Negatively advertising about your competitor (talking about why their product is bad, rather then why yours is good) is bad no matter what position in the market you're in. Instead of saying you're the underdog but people should try you out, you're saying your competitor is bad, so you're all that's left. People aren't interested in leftovers and those winning by default. If Firefox wants to successfully advertise, it should be talking about "faster browsing" without actually mentioning what it is being compared to, let alone naming Microsoft or IE.

    And that boys and girls is why the basement dwelling me too fanatics who crowd around OSS are doing far more harm to OSS adoption then good. No business is going to suddenly switch to open source as long as "OMG M$ IS TEH SUX0RS!!!!!!!" is the message crowding out any intelligent and level headed promotion of true technical and cost superiority.

  15. Re:Microsoft is so sweet by schtum · · Score: 2, Insightful

    IANA Ad Exec, but my observation has been that this only applies if you are in (or near) first place, especially in a two-horse race. For example, Coke will never mention Pepsi, but Pepsi often mentions Coke in their ads because they have nothing to lose. Likewise, George Bush would only refer to John Kerry as "my opponent" during the campaign, even when they were standing face to face in the debates. I kept wishing Kerry would hit back with some wise-ass remark like "I know you don't read the news, but you really should know my name by now." But I digress...

  16. Re:Surprisingly, a patch is already out by HermanAB · · Score: 2, Insightful

    Just copy?

    Which was first: Mozaic/Netscape/Mozilla, or Internet Explorer?

    Which was first: Unix, VMS, or Windows?

    Which TCP/IP stack is Windows using?

    Which was first: Xerox Parc, Apple Lisa, or Windows GUIs?

    You need a history lesson pal.

    --
    Oh well, what the hell...
  17. And Firefox is vulnerable to other attacks by skoda · · Score: 4, Insightful

    I trying Firefox currently. While it passed the test for this new attack, it vulnerable to at least one other attack described by Secunia: http://secunia.com/multiple_browsers_window_inject ion_vulnerability_test/

    Anyone know the score? What is Firefox vulnerable to and when will it updated?

    --
    ShoutingMan.com
    1. Re:And Firefox is vulnerable to other attacks by fliptw · · Score: 2, Insightful

      if you install Tabbed Browser Extensions, the vunerablity test fails.

  18. Re:Microsoft is so sweet by Anonymous Coward · · Score: 1, Insightful

    This is preposterous.

    If everyone is calling for your head to roll, it would clearly be preferable for people to be talking about anything other than you, or nothing at all.

    Some publicity is bad publicity. Anyone who says otherwise is fooling themselves.

    e.g. Watergate

  19. Re:Which version of Firefox isn't? by 0111+1110 · · Score: 2, Insightful

    I'm thinking hard here, and the only things I am coming up with are OS shell integration and activeX

    Javascript whitelisting and/or security zones. I cannot always remember to turn off javascript after I have enabled it for a particular site, so this is a very important feature to me. Until Firefox adds it I'll stick with IE thank you very much.

    How many of these exploits work with active scripting and activeX turned off? Not many.

    --
    Quite an experience to live in fear, isn't it? That's what it is to be a slave.
  20. Re:Surprisingly, a patch is already out by Commander+Trollco · · Score: 2, Insightful

    And the patch for Windows security is out too!

    Lunix I mean Service pack 3... it will fill your security holes. In today's day and age, why are people still not switching from an inferior product to one that is clearly the wave of the future? Go Linux!

    --
    http://persianews.on.nimp.org/?u=Tar_Baby
  21. Re:Microsoft is so sweet by Anonymous Coward · · Score: 1, Insightful

    opera rocks dude, nothin weird about it

  22. Re:Microsoft is so sweet by mcrbids · · Score: 2, Insightful


    never mention your competitor in advertising
    no such thing as bad publicity, people tend to forget the details but "brand reinforcement" still applies, if you have to mention your competitor then it implies your product wont/cant stand up on its own merits = you have LOST

    So.... does this mean that Microsoft has already lost when they mention 'get the facts'???

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
  23. Not mentioning your competitor by Geoff-with-a-G · · Score: 2, Insightful

    That's a fine principal when you're selling soda or cleaning products, but many of the people you're trying to reach don't even know what a "web browser" is.

    There are tons of people who "click on the 'e'" or "go into the Internet" or "use the Internet Explorer to get to Google"

    These people don't even realize that "web browser" is a product they use, made by multiple companies. If you're lucky, they remember Netscape. If they read "Firefox 1.0!" in a newspaper, they skim past it just like they skim past "Blade-servers" and "Middleware". These are words that don't relate to their lives, so the words slide right off their minds.

    You need to catch their attention with something they recognize, something that relates to them, like "Microsoft Internet Explorer is bad!" or "Hate pop-up windows?", then you explain to them that they can use Firefox instead.

    Firefox not mentioning IE is like alternative energy providers not mentioning coal or oil for fear that it might raise awareness of coal and oil. Everybody is already aware, you need to accept that and use it.