Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Plugs IDN Spoof Bug

Posted by timothy on from the gosh! dept.

mmarlett writes "Security Update 2005-003 updates Safari's support for International Domain Names (IDN) to prevent lookalike characters from being used to spoof the URL displayed in the address field, SSL certificate, or status bar. Opera fixed this in Feburuary while Mozilla just dropped support for IDNs, and you may recall that Internet Explorer did not suffer from this exploit because it sucks."

26 comments

  1. A good solution by cuijian · · Score: 4, Interesting

    This seems like a much better short-term solution than other browsers have come up with. Apple managed to keep International Domain Name support for most of their customers (particularly in countries like Japan and China where they are starting to be widely used) and address the security issue.

    I'm not sure what the right long-term solution is. Its not ideal to have to turn off support for Cherokee, Cyrillic and Greek. It seems like the domain registrars need to take some of the responsibility.

    1. Re:A good solution by gorre · · Score: 5, Interesting
      I'm not sure what the right long-term solution is. Its not ideal to have to turn off support for Cherokee, Cyrillic and Greek.
      Perhaps rendering non-ASCII characters in a different colour so the user can tell the difference between a lookalike character and the "real thing" could be an option? Not perfect but it's something that springs to mind which may be better than turning off IDN support completely.
      --
      "Madness is something rare in individuals - but in groups, parties, peoples, ages it is the rule." -- Nietzsche
    2. Re:A good solution by zonx+lebaam · · Score: 1
      Or perhaps allowing the user to choose *a single* primary script which is always rendered as is, and using punyscript/colorizing/other to for other scripts.

      This is similar to the roman-default solution used now, but more general.

      Note that it is less general than the total solution now presented which allows the savvy user to activate multiple scripts with similar looking glyphs, but better protects said savvy users from phishing.

    3. Re:A good solution by cuijian · · Score: 5, Informative

      Apple's solution is based on a user editable white list of allowed scripts so that's already there for you.

      You can choose *a single* primary script (or two, or...), whatever you want. You can even turn off all IDN support.

  2. here we go ; ) by mabu · · Score: 4, Funny

    Internet Explorer did not suffer from this exploit because it sucks.

    Microsoft sycophant whine-fest in 3..2..1..

  3. on IE's 'immunity' by Tumbleweed · · Score: 4, Funny

    Internet Explorer did not suffer from this exploit because it sucks.

    I guess you could call this "security through deplorability".

  4. Re:here we go ; ) by Anonymous Coward · · Score: 0

    We'll have to take your word for it - it will be impossible to hear them over the deafening din of the ongoing Apple and Linux sycophant whine-fests.

  5. Patch covers a bit more ... by Hungus · · Score: 5, Informative

    Security Update 2005-003

    AFP Server Available for: Mac OS X v10.3.8, Mac OS X Server v10.3.8
    CVE-ID: CAN-2005-0340
    Impact: A specially crafted packet can cause a Denial of Service against the AFP Server.
    Description: A specially crafted packet will terminate the operation of the AFP Server due to an incorrect memory reference.

    AFP Server
    Available for: Mac OS X v10.3.8, Mac OS X Server v10.3.8
    CVE-ID: CAN-2005-0715
    Impact: The contents of a Drop Box can be discovered.
    Description: Fixes the checking of file permissions for access to Drop Boxes. Credit to John M. Glenn of San Francisco for reporting this issue.

    Bluetooth Setup Assistant
    Available for: Mac OS X 10.3.8, Mac OS X Server 10.3.8
    CVE-ID: CAN-2005-0713
    Impact: Local security bypass when using a Bluetooth input device.
    Description: The Bluetooth Setup Assistant may be launched on systems without a keyboard or a preconfigured Bluetooth input device. In these cases, access to certain privileged functions has been disabled within the Bluetooth Setup Assistant.

    Core Foundation
    Available for: Mac OS X v10.3.8, Mac OS X Server v10.3.8
    CVE-ID: CAN-2005-0716
    Impact: Buffer overflow via an environment variable.
    Description: The incorrect handling of an environment variable within Core Foundation can result in a buffer overflow that may be used to execute arbitrary code. This issue has been addressed by correctly handling the environment variable. Credit to iDEFENSE and Adriano Lima of SeedSecurity.com for reporting this issue.

    Cyrus IMAP
    Available for: Mac OS X Server v10.3.8
    CVE-ID: CAN-2004-1011, CAN-2004-1012, CAN-2004-1013, CAN-2004-1015, CAN-2004-1067
    Impact: Multiple vulnerabilities in Cyrus IMAP, including remotely exploitable denial of service and buffer overflows.
    Description: Cyrus IMAP is updated to version 2.2.12, which includes fixes for buffer overflows in fetchnews, backend, proxyd, and imapd. Further information is available from http://asg.web.cmu.edu/cyrus/download/imapd/change s.html.

    Cyrus SASL
    Available for: Mac OS X v10.3.8, Mac OS X Server v10.3.8
    CVE-ID: CAN-2002-1347, CAN-2004-0884
    Impact: Multiple vulnerabilities in Cyrus SASL, including remote denial of service and possible remote code execution in applications that use this library.
    Description: Cyrus SASL is updated to address several security holes caused by improper data validation, memory allocation, and data handling.

    Folder permissions
    Available for: Mac OS X v10.3.8, Mac OS X Server v10.3.8
    CVE-ID: CAN-2005-0712
    Impact: World-writable permissions on several directories, allowing potential file race conditions or local privilege escalation.
    Description: Secure folder permissions are applied to protect the installer's receipt cache and system-level ColorSync profiles. Credit to Eric Hall of DarkArt Consulting Services, Michael Haller (info@cilly.com), and (root at addcom.de) for reporting this issue.

    Mailman
    Available for: Mac OS X Server v10.3.8
    CVE-ID: CAN-2005-0202
    Impact: Directory traversal issue in Mailman that could allow access to arbitrary files.
    Description: Mailman is a software package that provides mailing list management. This update addresses an exposure in Mailman's private archive handling that allowed remote access to arbitrary files on the system. Further information is available from http://www.gnu.org/software/mailman/security.html.

    Safari
    Available for: Mac OS X v10.3.8, Mac OS X Server v10.3.8
    CVE-ID: CAN-2005-0234
    Impact: Maliciously registered International Domain Names (IDN) can make URLs visually appear as legitimate sites.
    Description: Support for Unicode characters within domain names (International Domain Name support) can allow maliciously registered domain names to visually appear as legitimate sites. Safari has been modified so that it consults a user-customizable list of scripts that are allowed to be displayed natively. Characters based on scripts that are not in the allowed list are displayed in their Punycode equivalent. The default list of allowed scripts does not include Roman look-alike scripts. Credit to Eric Johanson (ericj@shmoo.com) for reporting this issue to us.

    --
    Bad Panda! No Bamboo for you! In matters of importance ACs will not be responded to. Want to say something critical,OK
    1. Re:Patch covers a bit more ... by zonx+lebaam · · Score: 1

      Has Apple been giving this kind of credit to bugfinders for a long time, or is this new? I can't remember seeing them in their update blurbs in the past.

    2. Re:Patch covers a bit more ... by moof1138 · · Score: 2, Informative

      Yeah, they've been giving credit pretty much since the release of OS X. You can find the old blurbs here:

      http://docs.info.apple.com/article.html?artnum=300 667

      --

      Hyperbole is the worst thing ever.
    3. Re:Patch covers a bit more ... by Anonymous Coward · · Score: 0

      Those assholes didn't give me any credit for the bug I reported. I even gave them the exact code change to fix it (a Darwin issue). It just magically appeared in the next release, with no mention whatsoever. Fuckers.

  6. Slashdot by Anonymous Coward · · Score: 2, Insightful
    "you may recall that Internet Explorer did not suffer from this exploit because it sucks."
    • News for nerds ... professionalism that ceased in '99.

    1. Re:Slashdot by Anonymous Coward · · Score: 1, Insightful

      This is a forum with community provided news. It is also pro-Linux.

      Expect the odd joke or even rabid insult about Microsoft. Besides, IE really does suck compared to the other browsers in the market at the moment :)

      As for professionalism - one glance at the effort of the editors to construct correct sentences, check for duplicates etc. would tell you that /. has never been professional. It is not that sort of site. It is a good place to get some info relatively quickly, without having to check a dozen different sites. It occasionally has useful comments by some users.

      But it is not, and never has been a "professional" news forum. A forum for professionals (and others), yes... but that's not the same thing :)

      In the spirit of open source, I invite you to fork a project using /. code (or some code that actually doesn't suck), and make that as professional as you want!

  7. Right... by cold+wolf · · Score: 2, Insightful

    So if IE sucks because it doesn't support IDN, then Mozilla just started sucking since it dropped IDN.

    I don't think I can take much more suckage. Hurry up, Archy...

    1. Re:Right... by bad_fx · · Score: 5, Informative

      Mmm, except Mozilla didn't "drop" IDN. The original /. article had that wrong, as did the submitter of this story who just regurgitated from that. In fact they set the default to disabled - but it's still there and you can turn it back on if needed (in about:config network.enableIDN I think). In addition their advisory on this had the following to say:

      This is obviously an unsatisfactory solution in the long term and it is hoped that a better fix can be developed in time for Firefox 1.1.

    2. Re:Right... by molo · · Score: 4, Informative

      actually, idn works in firefox 1.0.1, but the punycode URL is displayed instead of the unicode characters. This is still a temporary solution. It can be overridden by changing network.IDN_show_punycode to false.

      -molo

      --
      Using your sig line to advertise for friends is lame.
    3. Re:Right... by bad_fx · · Score: 1

      Ah, you're right - just tested this on http://www.shmoo.com/idn/. Even better then! :)

  8. Mozilla didn't drop it... by Anonymous Coward · · Score: 2, Interesting

    At least Firefox already implements the same solution as Apple, to display the url in punycode form.

    1. Re:Mozilla didn't drop it... by ESqVIP · · Score: 2, Informative

      Almost right. Mozilla did not drop IDN support, just shows every IDN in punycode form (meaning that it will not make punycode URLs look pretty, but if you give it a japanese domain it will convert it to punycode, so there is some support running in there).

      Apple, on the other hand, only shows punycode if your URL contains characters from sets that look like latin. A much better approach IMO, since users will be able to see URLs in their language instead of some illegible "xn--pbt44a.jp" while being protected from clones of non-IDN websites.

      My other concern: aren't there kanjis that look exactly the same? Do they have different codes (very likely)? This could lead to CJK-oriented phishing schemes. Fortunately I believe they are quite rare.

      Or maybe we should have a new term, like sushi, for oriental phishing :-)

  9. Older version of Mac OS X need not apply... by zx-6e · · Score: 1

    ...because they are not supported.

    1. Re:Older version of Mac OS X need not apply... by Anonymous Coward · · Score: 0

      Apple, like Microsoft, has never been shy about forcing upgrades.

      It is in their nature to get you to spend money left and right on Apple-related products, or software upgrades. They are greedy that way.

      (I say this as someone who is an iBook owner, and Apple convert. I still realise that their only true loyalty is to their bottom line - just like any other company.)

  10. Test page by Anonymous Coward · · Score: 0

    http://secunia.com/multiple_browsers_idn_spoofing_ test/

  11. I'm done. by Smilin · · Score: 5, Funny

    I try to be an open minded person. I try and recognize both the strengths and weaknesses of Linux, Windows, Firefox, IE, you name it.

    Being a Windows admin I have to put up with a lot of crap to participate at slashdot in a positive and open minded fashion. I'm done. I haven't read an article here in months that I didn't already come across on my own. I'm also fed up with the blatant bias and lack of professionalism on the part of slashdot employees and mods.

    I'll go read my news elsewhere and spare myself the ration of shit that comes from you elitist snobs when reading it here.

    1. Re:I'm done. by Anonymous Coward · · Score: 0

      Don't let the door hit you in the ass on the way out.

      Asshole.

    2. Re:I'm done. by mmkkbb · · Score: 1

      Hey man, it's not just Windows admins that think this place is a ration of shit. :)

      Why'd you come here anyway? Were you looking for abuse? I mean, you obviously ARE new here.

      --
      -mkb