Slashdot Mirror

← Back to Stories (view on slashdot.org)

Shmoo Group Finds Exploit For non-IE Browsers

Posted by Hemos on from the even-mozilla-is-guilty dept.

shut_up_man writes "Saw this on Boing Boing: East coast hacker con Shmoocon ended today and they had a nasty browser exploit to show off... using International Domain Name (IDN) character support to display fake domain names in links and the address bar. Their examples use Paypal (with SSL too) and this looks very useful for phishing attacks. Interesting note that it works in every browser *except* IE (which makes this exploit a lot less dangerous in the end, I suppose)."v The reason IE isn't vulnerable is because it doesn't natively support IDN; with the right plug-in, it too is vulnerable.

15 of 621 comments (clear)

  1. Canned Slashdot Response by bigtallmofo · · Score: 4, Funny

    Serves those Internet Explorer users right! They should immediately switch to ... uh, wait. Nevermind.

    --
    I'm a big tall mofo.
  2. Switch by Anonymous Coward · · Score: 5, Funny

    Damnit... now I'm switching back.

  3. Call me a flamer.... errr by isa-kuruption · · Score: 1, Funny

    This is a good reason why we should just force all nations in the world to adopt a single language, English.

    Erm of course... if I was French, I would just sed 's/English/French/' that last sentence and you wouldn't set me -1 Flaimbait.

  4. I'm waiting the patch from MS by gustgr · · Score: 5, Funny

    Ok, it doesn't work in IE... so when the patch will be released? I mean... it is IE, the exploits HAVE to work. Microsoft should be worried, they are not doing their job properly.

  5. Strength from weakness by XxtraLarGe · · Score: 2, Funny

    The reason IE isn't vulnerable is because it doesn't natively support IDN; with the right plug-in, it too is vulnerable.

    IE is safer because it doesn't support a feature? Don't worry, I'm sure the plug-in will be installed with the next security update!

    --
    Taking guns away from the 99% gives the 1% 100% of the power.
  6. Re:Why? by Anonymous Coward · · Score: 1, Funny

    Hmm.. hiding exploits so that you can take your sweet time getting the fixes done? Do you work for Microsoft?

  7. New Microsoft Security Mantra by IvanHo · · Score: 2, Funny

    Security through inutility

  8. Rebuttals by Jacco+de+Leeuw · · Score: 4, Funny
    • Oh, come on! Even I saw the differences between those two a's!
    • Move your pointer to the padlock and you'll see that the certificate was signed by the UserTrust Network instead of the usual suspects (Verisign, Thawte etc.).
    • Certificates from the UserTrust Network are not to be trusted anyway. They don't check anything and you cannot trace back the owner of the domain.
    • CAs should rejects CSRs with these characters.
    • The CA should revoke those certificates. (You did enable OCSP, didn't you?)
    • It doesn't work with links/lynx.
    :-)
    --
    -------
    Warning: Slashdot may contain traces of nuts.
  9. I wouldn't call that an exploit... by MerlinTheWizard · · Score: 1, Funny

    It's merely a "trick".

    Anyone should know better than to base their trust on being on a particular, secure web page only on the address shown in the address bar! Everyone should know that they shouldn't access secure web pages from external links.

    If you write "Pope" on your forehead, do you think people will believe you're the pope? An by the way, funny that for once, the lack of a functionality actually "saves" IE, for one of the biggest security concern is ActiveX...

  10. we only had 8 bits, and we liked it by syrinx · · Score: 1, Funny

    This is why we should just stick with IBM's 8 bit extended ASCII characters.

    Who needs Cyrillic when you have all those lines and stuff? And the cent symbol?

    --
    Quidquid latine dictum sit, altum sonatur.
  11. Re:Another IDN bug on Firefox by Jerry · · Score: 1, Funny

    Works for me!

    --

    Running with Linux for over 20 years!

  12. Re:Another IDN bug on Firefox by Anonymous Coward · · Score: 1, Funny

    omg. now not only do people not read the articles, but they don't even read the posts in the thread they're responding to. :P

  13. Re:Another IDN bug on Firefox by callipygian-showsyst · · Score: 4, Funny
    I wonder if there's a quick and easy fix for this for Safari users,

    There is! Run I.E. in a VirtualPC window.

    --
    Best Buy can have you arrested
  14. You're being too elitist by Tibor+the+Hun · · Score: 5, Funny

    I'm planning on taking an airplane flight in 7 years, and am already taking classes on aeronautics, history of flight, airplane engineering, and am enrolled in the technical school for airplane building and maintenancy.^H^H

    Uh-oh, looks like my "delete" key stopped working again. Must need another .5 ohm resistor, with a diode overlay. I'll do that as soon as I'm done casting the waterpump for my car.

    --
    If you don't know what AltaVista is (was), get off my lawn.
  15. The old MS spoofing quick-patch... by Curtman · · Score: 3, Funny

    Why don't you just start typing in your URIs from now on?