New Spoofing Vulnerability in IE

Jimmy M. writes "A new vulnerability has been announced in Internet Explorer, also affecting XP SP2, which can very easily be exploited by a malicious web site to completely spoof the address bar. The vulnerability is very similar to another vulnerability disclosed just about a year ago called the '%00' vulnerability, which also was widely exploited by phishers. A demonstration is also available."

Surprisingly, a patch is already out

Get it here

Re:Surprisingly, a patch is already out

[YOU+LIKEWISE+FAIL+IT]

If it's the IAS proxy that requires NTML authentication, you can always pipe requests through this python rewriting proxy.

YLFI

Re:Surprisingly, a patch is already out

[Trepalium]

NTLM authentication works fine in recent versions of Mozilla/Firefox/Gecko, even on non-Windows platforms. Plug in the proxy server settings, and go. Firefox will ask for your proxy authentication on the first page request, and remember it until you close the browser.

Re:Surprisingly, a patch is already out

[AstroDrabb]

Firefox doesn't even have to prompt you for NTLM if you are logged into a windows domain. However, for security, Firefox only sends NTLM to servers you give the OK to.

In the URL bar type about:config and then filter for "ntlm". In the network.automatic-ntlm-auth.trusted-uris just put a comma separated list of servers you want Firefox to send your NTLM to. For example, double click network.automatic-ntlm-auth.trusted-uris and put in foo.com,bar.com,slashdot.org

The only thing I wish Firefox did was to allow a wild card domain name like *.mycompany.com. My network.automatic-ntlm-auth.trusted-uris entry has gotten pretty long at work : (

Vulnerability Confirmed on Avant Browser

[Eyah....TIMMY]

Using the latest version of Avant Browser, on a fully patched XP SP2 system. It seems obvious since Avant is based on IE but I thought it would be useful to know.

Re:Vulnerability Confirmed on Avant Browser

[zarniwoop102939]

As suggested in the article, you can block the vulnerability in Avant by disabling ActiveX (Tools | Disable ActiveX). This is how I browse with Avant by default, along with:

- Block Flash
- Block Popups
- Block Ads
- Disable Sounds
- Disable Videos
- Disable Java Applets

Makes pages load very fast, and if I need one of those functions for the page I'm on, I just toggle it on for the session.

Between these security features and still having the compatibility of IE, that's why I love Avant so much. Yes I used Firefox for 2 weeks, and went back to Avant.

Microsoft is so sweet

Everytime there's a major Firefox event, a release or New York Times ad, they chip it by having another IE vulnerability to raise awareness of Firefox. Thanks Microsoft!

Re:Microsoft is so sweet

What OSS has to do is release ads to TELL people how bad IE is

never mention your competitor in advertising
no such thing as bad publicity, people tend to forget the details but "brand reinforcement" still applies, if you have to mention your competitor then it implies your product wont/cant stand up on its own merits = you have LOST

just an anon advertising exec

Re:Microsoft is so sweet

[TheDarkener]

Yes, and outside of nerdville, who gives a shit about Firefox?

Just about everyone I install Firefox for (almost all non-geeks)... People who don't give a shit just plain don't know about it. Firefox is faster, it has a nicer interface, and prevents things like popups and bad security practice within the browser environment. The people that start using Firefox by force (by me) usually thank me profusely and rave to me (and their other non-geek friends) about it within 30 minutes of using it.

Plus, just look at the themes!! Who doesn't like themes??

Re:Microsoft is so sweet

[ticklemeozmo]

What OSS has to do is release ads to TELL people how bad IE is, not how good Mozilla is alongside. SCARE people into realizing that their entire way of life is AT RISK if they continue to use IE.

Or maybe a simple 5 color-coded chart!

RED - Browsing with IE
ORANGE - something witty
YELLOW - something wittier
GREEN - Browsing with Firefox
BLUE - Unplugging your network cable

Firefox(tm). The next safest thing to unplugging your network connection.

Re:Microsoft is so sweet

[Mr.+No+Skills]

While that may be true, your message is posted right smack dap in the middle of Nerdville -- it's central park, so to speak. You're a Republican who's walked into the middle of the Democratic convention and yelled at them to get a grip.

Of course we'll survive. It's just the internet. But, many of us are software professionals. We care so much about this we decided to make a career of this. We care so much about this we're willing to give away our ideas as open source projects, just to share them with the world. Forgive us if we care passionately about this, and think that basic things like browsers should not have security hole after security hole till we wonder if it will ever stop.

And, it's not even too much of a stretch. Enough people get screwed with identity theft, and the trust of the system falls apart and it ceases to be a method that many of us earn a living with. If one of the largest companies in the world can't even fix their browser, with all the resources of an almost monopoly on the market and stock options to hire every CS post graduate student on the planet -- a technology that went through its basic definition years ago -- it puts into question the entire value of software professionals.

Re:Microsoft is so sweet

[SoSueMe]

There's a philosophy in politics that goes like this: "It doesn't matter what they're saying about you, as long as they're talking about you. When they stop talking about you, you are dead".

Re:Microsoft is so sweet

[OldManAndTheC++]

RED - Browsing with IE
ORANGE - Giving your cat a bath
YELLOW - Cooking bacon in the nude
GREEN - Browsing with Firefox
BLUE - Unplugging your network cable

Re:Microsoft is so sweet

[Michalson]

Comparing your product to a specific competitor in a commercial suggests to the viewer that you are either neck and neck or more frequently that you're in the #2 position. If you are the actual market leader, or you want to be the leader, you *don't* want to send that kind of message.
Negatively advertising about your competitor (talking about why their product is bad, rather then why yours is good) is bad no matter what position in the market you're in. Instead of saying you're the underdog but people should try you out, you're saying your competitor is bad, so you're all that's left. People aren't interested in leftovers and those winning by default. If Firefox wants to successfully advertise, it should be talking about "faster browsing" without actually mentioning what it is being compared to, let alone naming Microsoft or IE.

And that boys and girls is why the basement dwelling me too fanatics who crowd around OSS are doing far more harm to OSS adoption then good. No business is going to suddenly switch to open source as long as "OMG M$ IS TEH SUX0RS!!!!!!!" is the message crowding out any intelligent and level headed promotion of true technical and cost superiority.

Re:Microsoft is so sweet

[Fortran+IV]

And of course you are quite correct--it's a matter of proportion, not of fact. I've spent a great deal of time myself ranting about Microsoft and the harm they continue to do to the industry in general. My nickname is not idly chosen; it's the language I first programmed professionally in. But even I, a former "computer professional," have been too lazy to try Firefox yet, and am just bumbling along in IE. (Although security headaches at work are probably going to force the necessary trials on me soon.)

But I can't name any other profession in which it is possible to profitably release product after product while being completely incompetent to produce. [Ignore management; it's not their job to produce.] You don't have to be a good programmer to succeed; you only have to look good. I was taught programming by a college professor who believed--seriously believed--that having five consecutive GOTO statements was a valid result of "structured programming"! I've seen countless examples (as have most people here) of bad programming. I decided years ago that anybody who actually trusts a computer is insane. I rely on computer records; I have no choice unless I want to live in a hovel in the woods and keep all my money in a mason jar. But I don't trust them, and I never will; I've known too doggone many programmers.

Just yesterday I had a lengthy discussion with my boss (the company owner) about why IE (and Windows in general) is so weak. With all the resources of an almost monopoly on the market, you said--that is exactly the problem. Microsoft has little motivation to do more than keep hot-patching the holes in IE and Windows instead of tearing up the whole street and laying a solid foundation. In the 1960's and 1970's, IBM stayed on top of the mainframe market despite having one of the worst OS's around, because they had the most ruthlessly effective body of marketeers anybody'd ever seen; only the virtual disappearance of the mainframe market took IBM from the top. As long as Microsoft's marketeering position stays strong, MS software will stay weak.

Quality is good. Many people will pay for quality when they can find it; people are downright amazed when they can get quality for free. But the majority of available products are going to remain Wal-Mart quality, because the vast majority of people are still going to get whatever is on the shelf at Wal-Mart.

And their world won't end. But its shine may tarnish a lot more easily.

Re:Microsoft is so sweet

[Michalson]

Good start. The main issues are that "1337", and "monopoly" may be confusing to your average consumer (they'll have no idea what "1337" is, and will be confused about why you are comparing your product to a board game)

A fundemental rule of marketing is that your commercials should be understandable by your entire demographic (sometimes ad campaigns will use "inside jokes" if the demographic they are targeting is tight enough, but it's still risky). By using special words or concepts only known or believed by a small number of people will mean you risk (or nearly guarantee) having your commercial coming across to your audiance like The Architect from The Matrix trying to sell them car insurance - ..concordantly the 5% saved through a 2 driver plan inexorably causes a diminution of the overall non-fault accident premiums. Ergo those signing up before January 1st will...

GNU WGet Multiple Remote Vulnerabilities

[enosys]

No, you're not safe. Check this out. It is recent too, released on Dec 10, 2004.

How long until...

[dew4au]

...people start banging on Firefox hard enough to expose vulnerabilities?

Or, is Mozilla just that good at plugging leaks before they happen?

Re:How long until...

[lewiz]

Somehow the poster of the parent has been modded down for Trolling, regardless of the fact that it is a valid point, within the context of the article, and definitely not a troll.

I frequently wonder what will happen as people start to shift more focus onto the software we so highly regard. Hands down Firefox is a more usable browser but I don't think it yet has the sort of attention that Internet Explorer does. Until such a time we will never truly know just how resilient Firefox is.

Wine Help

[anagama]

I really want to try this but I have such problems getting stuff to run in wine.

Re:Yet another reason...

[danamania]

Not only the existence of the bug, but Microsoft's attitude towards the last one like this.

From Microsoft Help & Support. "The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself. By manually typing the URL in the address bar, you can verify the information that Internet Explorer uses to access the destination Web site. To do so, type the URL in the Address bar, and then press ENTER."

Just defeat the purpose of hyperlinks. Thanks MS!

Disable ActiveX

[OverlordQ]

Disable ActiveX and this wont work. This exploit depends on ActiveX to run.

Re:Yet another reason...

[azuroff]

So, to check a Hotmail message, I just need to manually type

http://by2fd.bay2.hotmail.msn.com/cgi-bin/getmsg ?m sg=MSG1103631600.24&start=3248752&len=4735&imgsafe =n&curmbox=F000000001&a=b2cbfd3baddabfc913aacc3f36 f8590f

in my address bar....

Thanks, Microsoft! I needed to brush up on my typing skills.

Outlook / Outlook Express?

[Twintop]

I wonder if this exploit is also in Outlook and/or Outlook Express? If so, it'd be very easy for someone to send out spam with what looks like 100% legit, right down to what URL is displayed in the link when hovered and the address bar URL once opened, thanks to this exploit.

misunderstood vulnerability

[metalpet]

This doesn't have much in common with the %00 bug, which was essentially a visual bug, vaguely useful to convince that small percentage of people that verifies the URL of the site they're in instead of going by the look&feel of the page.

This bug however allows to break cross-domain scripting boundaries.
A practical example is that an attacker could craft a web page so that when a slashdotter visits it, it automatically submits a silly comment in reply to a particular post (yes, in spite of the hidden formkey field.)
Worse things could be done, like automatically grabbing the last 10 emails from your hotmail account if you happened to be logged in, send random replies to them, etc...
Use your imagination.

Describing this as a way to "completely spoof the address bar" misses the impact of this bug entirely.

All in all, a pretty cool exploit. I can't help but wonder if the double use of ExecScript and setTimeout is really necessary, but maybe that's an attempt to make it work accross more environments.

And Firefox is vulnerable to other attacks

[skoda]

I trying Firefox currently. While it passed the test for this new attack, it vulnerable to at least one other attack described by Secunia: http://secunia.com/multiple_browsers_window_inject ion_vulnerability_test/

Anyone know the score? What is Firefox vulnerable to and when will it updated?

MSIE's clock.

[rice_burners_suck]

Let's put one of these chain emails to good use:

Bill Gates died and went to heaven. As he stood in front of St.Peter at the Pearly Gates, he saw a huge wall of clocks behind him. He asked, "What are all those clocks?"

St. Peter answered, "Those are Software Vulnerability Clocks. Every computer program on Earth has a Software Vulnerability Clock. Every time a program is compromised due to a bug in the code, the hands on that program's clock will move.

"Oh," said Bill, "which clock is that?"

"That's the UNICOS clock. The hands have never moved, indicating that it was never compromised by an attacker."

"Incredible," said Bill. "And which clock is that one?"

St. Peter responded, "That's the OpenBSD clock. The hands have moved twice, telling us that the "Only one remote hole in the default install, in more than 8 years!" was compromised only two times in this operating system's life."

"Where's Internet Explorer's clock?" asked Bill.

"That's in Jesus' office. He's using it to drive the generators, which provide power for our celestial copy of Las Vegas."