Slashdot Mirror
New Spoofing Vulnerability in IE
Jimmy M. writes "A new vulnerability has been announced in Internet Explorer, also affecting XP SP2, which can very easily be exploited by a malicious web site to completely spoof the address bar. The vulnerability is very similar to another vulnerability disclosed just about a year ago called the '%00' vulnerability, which also was widely exploited by phishers. A demonstration is also available."
Get it here
Using the latest version of Avant Browser, on a fully patched XP SP2 system. It seems obvious since Avant is based on IE but I thought it would be useful to know.
It is not enough to have a good mind. The main thing is to use it well. - Rene Descartes (1637)
Everytime there's a major Firefox event, a release or New York Times ad, they chip it by having another IE vulnerability to raise awareness of Firefox. Thanks Microsoft!
Just tried it with Safari. Clicking the demo link does absolutely nothing. Turning off pop-up blocking and clicking the link does ... absolutely nothing.
Next.
Not the advertised exploit, but pretty damn annoying in its own right.
No, you're not safe. Check this out. It is recent too, released on Dec 10, 2004.
To me, whenever I see a vulnerability article for IE on Slashdot, I say to myself "Man...why does that seem like it's such a trivial programming error to fix?" as opposed to when there's a vulneraibility to Firefox/all browsers, when it's something like "Wow, someone really took some time to craft that one out"...just a thought.
It is pitch black. You are likely to be eaten by a grue.
Next, we'll be reading about studies showing that two hydrogen atoms and one oxygen atom form a clear, wet substance.
I have the latest version of Spoofstick (1.02 released 8/18/2004) and PivX Qwik-Fix Pro (v1.4) and the vulnerability tests positive in my up-to-date IE: a new window appears with both IE and Spoofstick reporting the site as citibank.com
Hopefully the guys over at the mozilla.org website will take note of the current number of Firefox downloads to see what size surge this generates. I'd love to see a nice graph with key dates on it for that matter - the PR1 release, the 1.0 release, the announcement of the various IE exploits... :)
UNIX? They're not even circumcised! Savages!
This is not a reason to use Firefox - it's useless in Firefox.
... all. Oh.
I just clicked the demo link using Firefox 1.0, and nothing happened at
Never mind.
sigs, as if you care.
...people start banging on Firefox hard enough to expose vulnerabilities?
Or, is Mozilla just that good at plugging leaks before they happen?
I really want to try this but I have such problems getting stuff to run in wine.
What changed under Obama? Nothing Good
With Internet Explorer for the Mac hovering above the link makes the status bar say "javascript:start();", but clicking on it does absolutely nothing. Exact same result with Safari.
OK. I use Mozilla anyway, so I shouldn't care about this particular bug. But the last couple mentioned here on /. that affected Mozilla, used Javascript to transfer data entered from one window to another. There's been a few of these, so I disabled Javascript and turn it on only when needed. Is this such a hard workaround? If you like IE, and you need ActiveX, can you just leave it off until a webpage needs it? There's going to be hundreds of these exploits popping up -- no one can fix them all.
You mean people STILL use IE, once they've been to Slashdot? Doesn't seem to really relate to us any more..
I like muppets.
Not only the existence of the bug, but Microsoft's attitude towards the last one like this.
From Microsoft Help & Support. "The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself. By manually typing the URL in the address bar, you can verify the information that Internet Explorer uses to access the destination Web site. To do so, type the URL in the Address bar, and then press ENTER."
Just defeat the purpose of hyperlinks. Thanks MS!
Disable ActiveX and this wont work. This exploit depends on ActiveX to run.
Your hair look like poop, Bob! - Wanker.
I see what's going on here. Microsoft put so many exploits into IE that eventually the black hats will be overwhelmed with possibilities, to the point of quitting. It's like the vulnerability-options DDoS.
Here we have one that broke up with IE. Fun story ;)l ?tag=nl.e497/
http://reviews.cnet.com/4520-3513_7-5570803-1.htm
In the NYT ad, they should've added every IE bug that's been discovered since Firefox was released. I mean they are probably the biggest contributors to FF's popularity.
"Plans are for fools! Oglethorpe, the plutonian (Aqua Teen Hunger Force)
Where I work, we have code reviews, automated code scrubbers, and extensize QA, and we're a relatively small shop compared to them.
I know they're trying, otherwise it would be a lot worse, and SP2 did a good bit to improve things, so I can't be that hard on them.
Jerry
http://www.syslog.org/
Microsoft bashing is always fun, but I really just want to be able to use any browser, on any OS. This why I hope Firefox takes off
"People who don't give a shit just plain don't know about it." I recently told a guy who is responsible for IT at a public school about Firefox. He had not heard of it.
Ignorance is curable, stupid is forever.
So, to check a Hotmail message, I just need to manually type
g ?m sg=MSG1103631600.24&start=3248752&len=4735&imgsafe =n&curmbox=F000000001&a=b2cbfd3baddabfc913aacc3f36 f8590f
http://by2fd.bay2.hotmail.msn.com/cgi-bin/getms
in my address bar....
Thanks, Microsoft! I needed to brush up on my typing skills.
http://it.slashdot.org/article.pl?sid=04/10/30/155 5251&tid=113&tid=128&tid=172&tid=1
I wonder if this exploit is also in Outlook and/or Outlook Express? If so, it'd be very easy for someone to send out spam with what looks like 100% legit, right down to what URL is displayed in the link when hovered and the address bar URL once opened, thanks to this exploit.
(with pointed finger) Ha-Ha
music lover since 1969
Maybe it's just me, but I would love to see what IE's source code must look like at this point with all the patching it has gone through over the years.
Even more amazing perhaps are the facts that:
Most certainly the best built house of cards on the planet!
...if they just posted news announcing days when vulerabilities aren't found in IE.
--AC
This doesn't have much in common with the %00 bug, which was essentially a visual bug, vaguely useful to convince that small percentage of people that verifies the URL of the site they're in instead of going by the look&feel of the page.
This bug however allows to break cross-domain scripting boundaries.
A practical example is that an attacker could craft a web page so that when a slashdotter visits it, it automatically submits a silly comment in reply to a particular post (yes, in spite of the hidden formkey field.)
Worse things could be done, like automatically grabbing the last 10 emails from your hotmail account if you happened to be logged in, send random replies to them, etc...
Use your imagination.
Describing this as a way to "completely spoof the address bar" misses the impact of this bug entirely.
All in all, a pretty cool exploit. I can't help but wonder if the double use of ExecScript and setTimeout is really necessary, but maybe that's an attempt to make it work accross more environments.
lol, that's the one thing that pisses me off more than anything about using a hotmail account, they convert all links into total gobbeldy gook just so they can stick that hotmail header on wherever you head, makes it totally impossible to verify where you're being directed to
I've had a good portion of my Windoze using friends and neighbors come up to me and ask if I have Firefox. Previously, these same people would glaze over when I attempted to explain why using IE wasn't a good idea. But now they feel "in the know", and are going around sharing their newfound knowledge with anyone who didn't see the ad. Far be it from me to rain on their parade :-)
I trying Firefox currently. While it passed the test for this new attack, it vulnerable to at least one other attack described by Secunia: http://secunia.com/multiple_browsers_window_inject ion_vulnerability_test/
Anyone know the score? What is Firefox vulnerable to and when will it updated?
ShoutingMan.com
If you are really curious Sam Spade has a link deobfuscator feature.
BTW the site seems to not be working right now, but that should be temporary.
I'm a firm believer in the philosophy of a ruling class. Especially since I rule. -Randal, Clerks
I'm thinking hard here, and the only things I am coming up with are OS shell integration and activeX, which are dubious at best.
It has surpassed IE in the following categories:
And if you don't like it, you have the ability to uninstall it!
I used to bulls-eye womp-rats in my pants
Bill Gates died and went to heaven. As he stood in front of St.Peter at the Pearly Gates, he saw a huge wall of clocks behind him. He asked, "What are all those clocks?"
St. Peter answered, "Those are Software Vulnerability Clocks. Every computer program on Earth has a Software Vulnerability Clock. Every time a program is compromised due to a bug in the code, the hands on that program's clock will move.
"Oh," said Bill, "which clock is that?"
"That's the UNICOS clock. The hands have never moved, indicating that it was never compromised by an attacker."
"Incredible," said Bill. "And which clock is that one?"
St. Peter responded, "That's the OpenBSD clock. The hands have moved twice, telling us that the "Only one remote hole in the default install, in more than 8 years!" was compromised only two times in this operating system's life."
"Where's Internet Explorer's clock?" asked Bill.
"That's in Jesus' office. He's using it to drive the generators, which provide power for our celestial copy of Las Vegas."
I'm thinking hard here, and the only things I am coming up with are OS shell integration and activeX
Javascript whitelisting and/or security zones. I cannot always remember to turn off javascript after I have enabled it for a particular site, so this is a very important feature to me. Until Firefox adds it I'll stick with IE thank you very much.
How many of these exploits work with active scripting and activeX turned off? Not many.
Quite an experience to live in fear, isn't it? That's what it is to be a slave.
No, not a dupe.
The vulnerability discussed in the article you linked is here:
http://secunia.com/advisories/13251/
which, as you can plainly see, is #13251. Secunia calls it the "window injection vulnerability."
The vulnerability discussed in THIS article is
http://secunia.com/advisories/13482/
Quite obviously number 13482. Secunia calls this one the "cross-site scripting vulnerability."
So no, they're not the same thing at all, and you're karma-whoring with falsely "informative" posts.
p
In Korea, long hair is for old people!
Never mention your competitor? I don't think competitor is quite the word here. IE vs. Firefox is not really a competition either. The reason Coke sells better than Pepsi is because people have tried both, and they think "I like Coke better." The reason 90% or so (the vast majority) of poeple use Internet Explorer isn't because they think "I tried both and weighing the featurs of each, I choose IE."
It's much more of a matter of people (A) not hearing about Firefox, and (B) not using it because they don't know how.
Both can easily be solved with a 5-minute download and 30 seconds of explaining "popup blocker" and "safe browsing".
Back to 'never mention your competitor in advertising' is usually a bad idea because:
1) It recognizes the competition, implies that they are viable competitors, and creates awareness of them.
2) It credits/merits the competition, almost suggests there's a reason to choose their product.
I really don't feel that either of the two apply here.
A) IE is very recognized. I don't think there is anyone that uses the internet that doesn't know what it is.
B) Nobody 'chooses' IE. It is spoon-fed to everyone and most people either don't know better or don't care.
C) "Implies your product won't/can't stand up on its own merits" --Well, in a way it can't. The biggest problem with other browsers is lack of awareness. If you don't represent Firefox as 'an alternative to IE' you will not be likely to influence anyone but attuned computer users.
D) As for "= you have LOST" -- Either that, or 'are losing' or 'are behind'. EVERY PC and Mac comes standard with IE, and EVERY PC has it currently installed. The vast majority of people who use the internet use IE. Firefox has a long way to go.
All in all, Firefox is the best browser available. If you don't believe me, then you probably don't have The AdBlock Extention installed. For now, yell as loud as you can, "INTERNET EXPLORER SUCKS, USE FIREFOX". Seems to work pretty well for me.
Partial Credit: The Engineer's Best friend
"Well, the bridge didn't fall all the way down!"
That's a fine principal when you're selling soda or cleaning products, but many of the people you're trying to reach don't even know what a "web browser" is.
There are tons of people who "click on the 'e'" or "go into the Internet" or "use the Internet Explorer to get to Google"
These people don't even realize that "web browser" is a product they use, made by multiple companies. If you're lucky, they remember Netscape. If they read "Firefox 1.0!" in a newspaper, they skim past it just like they skim past "Blade-servers" and "Middleware". These are words that don't relate to their lives, so the words slide right off their minds.
You need to catch their attention with something they recognize, something that relates to them, like "Microsoft Internet Explorer is bad!" or "Hate pop-up windows?", then you explain to them that they can use Firefox instead.
Firefox not mentioning IE is like alternative energy providers not mentioning coal or oil for fear that it might raise awareness of coal and oil. Everybody is already aware, you need to accept that and use it.