Slashdot Mirror
New Spoofing Vulnerability in IE
Jimmy M. writes "A new vulnerability has been announced in Internet Explorer, also affecting XP SP2, which can very easily be exploited by a malicious web site to completely spoof the address bar. The vulnerability is very similar to another vulnerability disclosed just about a year ago called the '%00' vulnerability, which also was widely exploited by phishers. A demonstration is also available."
Get it here
Using the latest version of Avant Browser, on a fully patched XP SP2 system. It seems obvious since Avant is based on IE but I thought it would be useful to know.
It is not enough to have a good mind. The main thing is to use it well. - Rene Descartes (1637)
Everytime there's a major Firefox event, a release or New York Times ad, they chip it by having another IE vulnerability to raise awareness of Firefox. Thanks Microsoft!
Not the advertised exploit, but pretty damn annoying in its own right.
No, you're not safe. Check this out. It is recent too, released on Dec 10, 2004.
To me, whenever I see a vulnerability article for IE on Slashdot, I say to myself "Man...why does that seem like it's such a trivial programming error to fix?" as opposed to when there's a vulneraibility to Firefox/all browsers, when it's something like "Wow, someone really took some time to craft that one out"...just a thought.
It is pitch black. You are likely to be eaten by a grue.
Tried it all in Konqurer, and no problems at all. I hate hackers but maybe these problems will finally start driving people towards alternative browsers. My website currently gets 85% windows users and only 65% IE users. So that's a good start away from IE.
Want to learn about anything sexual? Check out the sex wiki:
Hopefully the guys over at the mozilla.org website will take note of the current number of Firefox downloads to see what size surge this generates. I'd love to see a nice graph with key dates on it for that matter - the PR1 release, the 1.0 release, the announcement of the various IE exploits... :)
UNIX? They're not even circumcised! Savages!
This is not a reason to use Firefox - it's useless in Firefox.
... all. Oh.
I just clicked the demo link using Firefox 1.0, and nothing happened at
Never mind.
sigs, as if you care.
...people start banging on Firefox hard enough to expose vulnerabilities?
Or, is Mozilla just that good at plugging leaks before they happen?
I really want to try this but I have such problems getting stuff to run in wine.
What changed under Obama? Nothing Good
With Internet Explorer for the Mac hovering above the link makes the status bar say "javascript:start();", but clicking on it does absolutely nothing. Exact same result with Safari.
I just tried it with a potatoe peel. Nothing. ;)
As it said.. IE. Secunia does test these things on other browsers and as they have shown in the past they are likely to come up with cross-browser exploits in the future.
Not only the existence of the bug, but Microsoft's attitude towards the last one like this.
From Microsoft Help & Support. "The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself. By manually typing the URL in the address bar, you can verify the information that Internet Explorer uses to access the destination Web site. To do so, type the URL in the Address bar, and then press ENTER."
Just defeat the purpose of hyperlinks. Thanks MS!
Disable ActiveX and this wont work. This exploit depends on ActiveX to run.
Your hair look like poop, Bob! - Wanker.
In the NYT ad, they should've added every IE bug that's been discovered since Firefox was released. I mean they are probably the biggest contributors to FF's popularity.
"Plans are for fools! Oglethorpe, the plutonian (Aqua Teen Hunger Force)
Where I work, we have code reviews, automated code scrubbers, and extensize QA, and we're a relatively small shop compared to them.
I know they're trying, otherwise it would be a lot worse, and SP2 did a good bit to improve things, so I can't be that hard on them.
Jerry
http://www.syslog.org/
So, to check a Hotmail message, I just need to manually type
g ?m sg=MSG1103631600.24&start=3248752&len=4735&imgsafe =n&curmbox=F000000001&a=b2cbfd3baddabfc913aacc3f36 f8590f
http://by2fd.bay2.hotmail.msn.com/cgi-bin/getms
in my address bar....
Thanks, Microsoft! I needed to brush up on my typing skills.
I wonder if this exploit is also in Outlook and/or Outlook Express? If so, it'd be very easy for someone to send out spam with what looks like 100% legit, right down to what URL is displayed in the link when hovered and the address bar URL once opened, thanks to this exploit.
(with pointed finger) Ha-Ha
music lover since 1969
A college tutor who has been telling us for the last three weeks to "keep up with the industry, read magazines and web sites!" etc hadn't heard of Mozilla Firefox when I mentioned it (was a lesson on security and I said that I would recommend using an alternative to IE such as firefox).
The funny thing was that on the next powerpoint slide she brought up was an example of email spoofing, and the example was showing an email coming from webmaster@mozilla.com.
Linux Wireless Hardware in the UK
...if they just posted news announcing days when vulerabilities aren't found in IE.
--AC
This doesn't have much in common with the %00 bug, which was essentially a visual bug, vaguely useful to convince that small percentage of people that verifies the URL of the site they're in instead of going by the look&feel of the page.
This bug however allows to break cross-domain scripting boundaries.
A practical example is that an attacker could craft a web page so that when a slashdotter visits it, it automatically submits a silly comment in reply to a particular post (yes, in spite of the hidden formkey field.)
Worse things could be done, like automatically grabbing the last 10 emails from your hotmail account if you happened to be logged in, send random replies to them, etc...
Use your imagination.
Describing this as a way to "completely spoof the address bar" misses the impact of this bug entirely.
All in all, a pretty cool exploit. I can't help but wonder if the double use of ExecScript and setTimeout is really necessary, but maybe that's an attempt to make it work accross more environments.
lol, that's the one thing that pisses me off more than anything about using a hotmail account, they convert all links into total gobbeldy gook just so they can stick that hotmail header on wherever you head, makes it totally impossible to verify where you're being directed to
I trying Firefox currently. While it passed the test for this new attack, it vulnerable to at least one other attack described by Secunia: http://secunia.com/multiple_browsers_window_inject ion_vulnerability_test/
Anyone know the score? What is Firefox vulnerable to and when will it updated?
ShoutingMan.com
Bill Gates died and went to heaven. As he stood in front of St.Peter at the Pearly Gates, he saw a huge wall of clocks behind him. He asked, "What are all those clocks?"
St. Peter answered, "Those are Software Vulnerability Clocks. Every computer program on Earth has a Software Vulnerability Clock. Every time a program is compromised due to a bug in the code, the hands on that program's clock will move.
"Oh," said Bill, "which clock is that?"
"That's the UNICOS clock. The hands have never moved, indicating that it was never compromised by an attacker."
"Incredible," said Bill. "And which clock is that one?"
St. Peter responded, "That's the OpenBSD clock. The hands have moved twice, telling us that the "Only one remote hole in the default install, in more than 8 years!" was compromised only two times in this operating system's life."
"Where's Internet Explorer's clock?" asked Bill.
"That's in Jesus' office. He's using it to drive the generators, which provide power for our celestial copy of Las Vegas."
Never mention your competitor? I don't think competitor is quite the word here. IE vs. Firefox is not really a competition either. The reason Coke sells better than Pepsi is because people have tried both, and they think "I like Coke better." The reason 90% or so (the vast majority) of poeple use Internet Explorer isn't because they think "I tried both and weighing the featurs of each, I choose IE."
It's much more of a matter of people (A) not hearing about Firefox, and (B) not using it because they don't know how.
Both can easily be solved with a 5-minute download and 30 seconds of explaining "popup blocker" and "safe browsing".
Back to 'never mention your competitor in advertising' is usually a bad idea because:
1) It recognizes the competition, implies that they are viable competitors, and creates awareness of them.
2) It credits/merits the competition, almost suggests there's a reason to choose their product.
I really don't feel that either of the two apply here.
A) IE is very recognized. I don't think there is anyone that uses the internet that doesn't know what it is.
B) Nobody 'chooses' IE. It is spoon-fed to everyone and most people either don't know better or don't care.
C) "Implies your product won't/can't stand up on its own merits" --Well, in a way it can't. The biggest problem with other browsers is lack of awareness. If you don't represent Firefox as 'an alternative to IE' you will not be likely to influence anyone but attuned computer users.
D) As for "= you have LOST" -- Either that, or 'are losing' or 'are behind'. EVERY PC and Mac comes standard with IE, and EVERY PC has it currently installed. The vast majority of people who use the internet use IE. Firefox has a long way to go.
All in all, Firefox is the best browser available. If you don't believe me, then you probably don't have The AdBlock Extention installed. For now, yell as loud as you can, "INTERNET EXPLORER SUCKS, USE FIREFOX". Seems to work pretty well for me.
Partial Credit: The Engineer's Best friend
"Well, the bridge didn't fall all the way down!"