Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Spoofing Vulnerability in IE

Posted by CowboyNeal on from the url-b-gone dept.

Jimmy M. writes "A new vulnerability has been announced in Internet Explorer, also affecting XP SP2, which can very easily be exploited by a malicious web site to completely spoof the address bar. The vulnerability is very similar to another vulnerability disclosed just about a year ago called the '%00' vulnerability, which also was widely exploited by phishers. A demonstration is also available."

24 of 372 comments (clear)

  1. Microsoft is so sweet by Anonymous Coward · · Score: 5, Interesting

    Everytime there's a major Firefox event, a release or New York Times ad, they chip it by having another IE vulnerability to raise awareness of Firefox. Thanks Microsoft!

    1. Re:Microsoft is so sweet by TheDarkener · · Score: 4, Interesting

      Yes, and outside of nerdville, who gives a shit about Firefox?

      Just about everyone I install Firefox for (almost all non-geeks)... People who don't give a shit just plain don't know about it. Firefox is faster, it has a nicer interface, and prevents things like popups and bad security practice within the browser environment. The people that start using Firefox by force (by me) usually thank me profusely and rave to me (and their other non-geek friends) about it within 30 minutes of using it.

      Plus, just look at the themes!! Who doesn't like themes??

      --
      It is pitch black. You are likely to be eaten by a grue.
    2. Re:Microsoft is so sweet by shawb · · Score: 3, Interesting

      Woah. So that's the reason for the phrase "... than the leading brand." as in "20% more cotton than the leading brand" or whatever. I just assumed that it was to prevent litigation.

      Then again, I suppose the phrase could be used for both reasons.

      --
      I'll never make that mistake again, reading the experts' opinions. - Feynman
    3. Re:Microsoft is so sweet by Mr.+No+Skills · · Score: 4, Interesting

      While that may be true, your message is posted right smack dap in the middle of Nerdville -- it's central park, so to speak. You're a Republican who's walked into the middle of the Democratic convention and yelled at them to get a grip.

      Of course we'll survive. It's just the internet. But, many of us are software professionals. We care so much about this we decided to make a career of this. We care so much about this we're willing to give away our ideas as open source projects, just to share them with the world. Forgive us if we care passionately about this, and think that basic things like browsers should not have security hole after security hole till we wonder if it will ever stop.

      And, it's not even too much of a stretch. Enough people get screwed with identity theft, and the trust of the system falls apart and it ceases to be a method that many of us earn a living with. If one of the largest companies in the world can't even fix their browser, with all the resources of an almost monopoly on the market and stock options to hire every CS post graduate student on the planet -- a technology that went through its basic definition years ago -- it puts into question the entire value of software professionals.

      --
      Sleep is for the Weak
    4. Re:Microsoft is so sweet by SoSueMe · · Score: 5, Interesting

      There's a philosophy in politics that goes like this: "It doesn't matter what they're saying about you, as long as they're talking about you. When they stop talking about you, you are dead".

    5. Re:Microsoft is so sweet by Fortran+IV · · Score: 4, Interesting

      And of course you are quite correct--it's a matter of proportion, not of fact. I've spent a great deal of time myself ranting about Microsoft and the harm they continue to do to the industry in general. My nickname is not idly chosen; it's the language I first programmed professionally in. But even I, a former "computer professional," have been too lazy to try Firefox yet, and am just bumbling along in IE. (Although security headaches at work are probably going to force the necessary trials on me soon.)

      But I can't name any other profession in which it is possible to profitably release product after product while being completely incompetent to produce. [Ignore management; it's not their job to produce.] You don't have to be a good programmer to succeed; you only have to look good. I was taught programming by a college professor who believed--seriously believed--that having five consecutive GOTO statements was a valid result of "structured programming"! I've seen countless examples (as have most people here) of bad programming. I decided years ago that anybody who actually trusts a computer is insane. I rely on computer records; I have no choice unless I want to live in a hovel in the woods and keep all my money in a mason jar. But I don't trust them, and I never will; I've known too doggone many programmers.

      Just yesterday I had a lengthy discussion with my boss (the company owner) about why IE (and Windows in general) is so weak. With all the resources of an almost monopoly on the market, you said--that is exactly the problem. Microsoft has little motivation to do more than keep hot-patching the holes in IE and Windows instead of tearing up the whole street and laying a solid foundation. In the 1960's and 1970's, IBM stayed on top of the mainframe market despite having one of the worst OS's around, because they had the most ruthlessly effective body of marketeers anybody'd ever seen; only the virtual disappearance of the mainframe market took IBM from the top. As long as Microsoft's marketeering position stays strong, MS software will stay weak.

      Quality is good. Many people will pay for quality when they can find it; people are downright amazed when they can get quality for free. But the majority of available products are going to remain Wal-Mart quality, because the vast majority of people are still going to get whatever is on the shelf at Wal-Mart.

      And their world won't end. But its shine may tarnish a lot more easily.

      --
      I figure by 2030 or so my 6-digit UID will be something to brag about.
  2. GNU WGet Multiple Remote Vulnerabilities by enosys · · Score: 4, Interesting

    No, you're not safe. Check this out. It is recent too, released on Dec 10, 2004.

  3. Geez... by TheDarkener · · Score: 3, Interesting

    To me, whenever I see a vulnerability article for IE on Slashdot, I say to myself "Man...why does that seem like it's such a trivial programming error to fix?" as opposed to when there's a vulneraibility to Firefox/all browsers, when it's something like "Wow, someone really took some time to craft that one out"...just a thought.

    --
    It is pitch black. You are likely to be eaten by a grue.
  4. Re:Yet another reason... by Zocalo · · Score: 3, Interesting

    Hopefully the guys over at the mozilla.org website will take note of the current number of Firefox downloads to see what size surge this generates. I'd love to see a nice graph with key dates on it for that matter - the PR1 release, the 1.0 release, the announcement of the various IE exploits... :)

    --
    UNIX? They're not even circumcised! Savages!
  5. Re:No way! by computerme · · Score: 2, Interesting

    i agree in general but there are some banks / online bill payment services that don't work with firefox yet.

  6. So I disable javascript ... by Ralconte · · Score: 2, Interesting

    OK. I use Mozilla anyway, so I shouldn't care about this particular bug. But the last couple mentioned here on /. that affected Mozilla, used Javascript to transfer data entered from one window to another. There's been a few of these, so I disabled Javascript and turn it on only when needed. Is this such a hard workaround? If you like IE, and you need ActiveX, can you just leave it off until a webpage needs it? There's going to be hundreds of these exploits popping up -- no one can fix them all.

  7. what!? by Turn-X+Alphonse · · Score: 2, Interesting

    You mean people STILL use IE, once they've been to Slashdot? Doesn't seem to really relate to us any more..

    --
    I like muppets.
    1. Re:what!? by LGagnon · · Score: 2, Interesting

      You mean people STILL use IE, once they've been to Slashdot?

      Apparently, they still do.

  8. Changing from IE by EyelessFade · · Score: 2, Interesting

    Here we have one that broke up with IE. Fun story ;)
    http://reviews.cnet.com/4520-3513_7-5570803-1.html ?tag=nl.e497/

  9. Microsoft bashing by linders · · Score: 2, Interesting

    Microsoft bashing is always fun, but I really just want to be able to use any browser, on any OS. This why I hope Firefox takes off

  10. Some who SHOULD care do not know by TFGeditor · · Score: 2, Interesting

    "People who don't give a shit just plain don't know about it." I recently told a guy who is responsible for IT at a public school about Firefox. He had not heard of it.

    --
    Ignorance is curable, stupid is forever.
    1. Re:Some who SHOULD care do not know by NetNifty · · Score: 3, Interesting

      A college tutor who has been telling us for the last three weeks to "keep up with the industry, read magazines and web sites!" etc hadn't heard of Mozilla Firefox when I mentioned it (was a lesson on security and I said that I would recommend using an alternative to IE such as firefox).

      The funny thing was that on the next powerpoint slide she brought up was an example of email spoofing, and the example was showing an email coming from webmaster@mozilla.com.

      --
      Linux Wireless Hardware in the UK
  11. Outlook / Outlook Express? by Twintop · · Score: 4, Interesting

    I wonder if this exploit is also in Outlook and/or Outlook Express? If so, it'd be very easy for someone to send out spam with what looks like 100% legit, right down to what URL is displayed in the link when hovered and the address bar URL once opened, thanks to this exploit.

  12. Re:Surprisingly, a patch is already out by drsmithy · · Score: 2, Interesting
    Firefox's NTLM authentication works perfectly and transparently here (ie: you never see a username/password prompt).

    Now, it _is_ talking to a Squid proxy authenticating to AD via winbind and not IAS, but I wouldn't have thought that mattered from a client perspective...

  13. Re:Yet another reason... by Tlosk · · Score: 3, Interesting

    lol, that's the one thing that pisses me off more than anything about using a hotmail account, they convert all links into total gobbeldy gook just so they can stick that hotmail header on wherever you head, makes it totally impossible to verify where you're being directed to

  14. The Times ad was effective by CustomDesigned · · Score: 2, Interesting

    I've had a good portion of my Windoze using friends and neighbors come up to me and ask if I have Firefox. Previously, these same people would glaze over when I attempted to explain why using IE wasn't a good idea. But now they feel "in the know", and are going around sharing their newfound knowledge with anyone who didn't see the ad. Far be it from me to rain on their parade :-)

  15. Re:How long until... by Frogbert · · Score: 2, Interesting

    The main benefit is that Mozilla is good at plugging leaks after they happen. That is an important destinction. Microsoft can sit on their hands for months before a serious bug is fixed. Mozilla users are treated to a security fix days, possibly hours after.

  16. Re:And Firefox is vulnerable to other attacks by SirTalon42 · · Score: 2, Interesting

    My Konqueror browser isn't vulnerable to that, could be because I have pop ups open up in a new tab (saying they are allowed which about 99% are blocked)

  17. NEVER mention competitor?? by ShimmyShimmy · · Score: 3, Interesting

    Never mention your competitor? I don't think competitor is quite the word here. IE vs. Firefox is not really a competition either. The reason Coke sells better than Pepsi is because people have tried both, and they think "I like Coke better." The reason 90% or so (the vast majority) of poeple use Internet Explorer isn't because they think "I tried both and weighing the featurs of each, I choose IE."

    It's much more of a matter of people (A) not hearing about Firefox, and (B) not using it because they don't know how.
    Both can easily be solved with a 5-minute download and 30 seconds of explaining "popup blocker" and "safe browsing".

    Back to 'never mention your competitor in advertising' is usually a bad idea because:

    1) It recognizes the competition, implies that they are viable competitors, and creates awareness of them.
    2) It credits/merits the competition, almost suggests there's a reason to choose their product.

    I really don't feel that either of the two apply here.

    A) IE is very recognized. I don't think there is anyone that uses the internet that doesn't know what it is.
    B) Nobody 'chooses' IE. It is spoon-fed to everyone and most people either don't know better or don't care.

    C) "Implies your product won't/can't stand up on its own merits" --Well, in a way it can't. The biggest problem with other browsers is lack of awareness. If you don't represent Firefox as 'an alternative to IE' you will not be likely to influence anyone but attuned computer users.

    D) As for "= you have LOST" -- Either that, or 'are losing' or 'are behind'. EVERY PC and Mac comes standard with IE, and EVERY PC has it currently installed. The vast majority of people who use the internet use IE. Firefox has a long way to go.

    All in all, Firefox is the best browser available. If you don't believe me, then you probably don't have The AdBlock Extention installed. For now, yell as loud as you can, "INTERNET EXPLORER SUCKS, USE FIREFOX". Seems to work pretty well for me.

    --
    Partial Credit: The Engineer's Best friend
    "Well, the bridge didn't fall all the way down!"