New Phishing Flaw in Internet Explorer

JimmyM writes "Secunia reports on a new vulnerability in Internet Explorer. From the piece: 'This can be exploited to spoof the address bar in a browser window showing web content from a malicious web site.' According to several (german) media outlets this is already being exploited by phishing sites. Secunia has a test you can try to see if you are vulnerable."

Why??

[liliafan]

I know IE is supposed to still be the most popular web browser there is, but my site shows firefox is in much higher use (roughly 96%). But I guess that since over 97% of hits to my site have been from slashdot that isn't so unusual, I was suprised to see that 98% of visitors used windows.

Why are people still using IE, even the most uneducated users must have heard of alternative browsers by now. I am not specifically advocating any particular browser, I use firefox, but I have heard great reports about opera. Geez these days I would use lynx over IE (and quite often do). We hear about new vulnerabilities in IE all the time IE users get a clue.

Re:Why??

[LunaticTippy]

I'll tell you why.

It's the default browser.

I make it a point to install firefox and remove all shortcuts to IE on any machine I have to fix, except for at work, where we have a couple of IE-only apps. (don't ask)

The average (I don't want to say idiot) user simply doesn't think or know about other browsers. We need to remember that the typical user doesn't live in "our" world.

Re:Why??

[liliafan]

I understand lack of user education but surely there is no one that hasn't at least heard of firefox by now, I mean if you have been on the web for more than a week you must have at least seen a link, there is news almost weekly on new IE vulnerabilities, when will the average user become educated and what more can us geeks do to push this?

Re:Why??

My guess (and this is probably only one possible factor), is that many people surf the web from their place of employment during the day. In alot of cases, their employers only allow internet explorer on their machines so that is why the statistics for browser traffic tend to (barely) favor internet explorer. I would be interested in seeing statistics comparing browser useage and time of day.

Re:Why??

[ZachPruckowski]

People keep IE because of two factors:

1) A lot of users only know how IE does things. It could be scary to have to deal with a different layout, or a different set of commands, or a different method of bookmarking or whatever.

2) They don't want to take the time. It takes like 10 minutes to download Firefox, then time to install, and then they have to set it as the default browser, and change shortcuts, and then get all their bookmarks and passwords and everything into Firefox, so it is honestly not a 3 minute process, more like 30 minutes, and more if you take into account getting the right extensions, like ad-block and flashblock and noscript

Fundamentally, the problem is that most users don't see computers as something to configure, they see it as a tool to use. They don't bother with the "Top 10 list for making Windows faster" because it requires registry edits or going deep into the preferences or something. They're not dumb, it's just that computers aren't their field, and they don't like the idea of spending an hour changing something.

Re:Why??

[ThinkFr33ly]

You're missing the biggest factor.

Most people just don't care what browsering they're using. They just want to check their e-mail and go to myspace. It's as simple as that.

Many of the don't even know what a "browser" is. They call it "The Internet".

That's why people don't switch to Firefox.

Re:Why??

[liliafan]

Hmmm good point, I may try and track that statistic.

Re:Why??

[LunaticTippy]

I try to think of my mother as a typical user. She can just barely get around on a computer. I (and many of her friends and relatives) try to educate as best as we can, but it is slow. She still sends out chain letters, including the shergold one. She needed me to help her install flash to see a stupid website. I told her she could print out documents at kinko's and she showed up there with her files at home.

Things have improved over the years. There are many competent users now. But we can't get complacent. People bring their computers to work for me to fix. It's the same thing every time. These are typical users.

Re:Why??

[ZachPruckowski]

The original poster claimed that people knew the difference between IE and Firefox. I gave him that assumption, which you are correct in disputing. I just like to argue on the grounds of "even if you're right, I still win" as a strategy. So even if everyone knows what FF is, my point still stands.

Re:Why??

[Cruian]

Some people are used to Internet Explorer and its behavior. They can't get used to Firefox or similar browsers. I have tried to teach a few people to use Firefox, but they need the same lesson every time they sit down in front of it. Most of the alternate browsers have tabs, which seems to be the main cause for confusion that I have seen. Are there any alternate browsers that by default don't use tabs? I know you can get similar behavior with Firefox and probably others, but it is annoying to change preferences for just 10 minutes. We could try to give more in depth lessons on alternate browsers, and their benefits. Also, an index card with any differences from IE may prevent repeated lessons.

Re:Why??

[E.+Edward+Grey]

Oh, and also: most internal company websites are not standards-compliant and therefore require IE to display information correctly. Shit, I'm a VOIP guy and even Cisco's web applets don't work correctly unless you use IE.

Re:Why??

[liliafan]

I agree with the points you make, I just find it so frustrating that people won't learn.

Re:Why??

[charlesnw]

Why was this modded as flame bait? Thats just silly.

Re:Why??

[Da_Weasel]

When you ask? Never...that's when. That's why they are users...as soon as they begin to care they stop being users...

Re:Why??

I used to get sick of all the pages that don't work in firefox, now I decided to use firefox but still have to open IE at least a few times a day for some websites, even some big name ones. Besides, you are completely wrong about everyone knowing about other browsers. I would argue that a high percentage of users don't even know the definition of a browser, it's just 'going on the internet' to them, and to get there, they click on the blue e on the desktop.

Re:Why??

[liliafan]

That was exactly my thoughts, from looking through this thread I haven't been flamed mostly people have agreed with my overall opinion of not all specific details.

c'est la vie

Re:Why??

[liliafan]

The web would be a much safer place if we could have a basic education test before allowing people to connect ;o)

"Welcome to the web....to enter please answer the following multiple choice question correctly, if you get the answer right you will be allowed to connect, if you answer incorrectly we will use your unpatched version of IE to executed arbitary code on your machine causing your modem to be destroyed"

Re:Why??

[ojustgiveitup]

What does firefox do by default with its tabbing functionality? In my experience you have to make a concious effort to use tabs.

Re:Why??

[boingo82]

My dad is what I'd consider an advanced user and not a moron. He has built all of my computers and his from pieces. This includes a p4 2800 for about $700 (including XP pro license) 4 years ago when p4 2800s were FAST. The thing is still rock solid and has been upgraded a few times.
He repairs PCBs in construction lasers for a living, developing his own schematics. He owns his own successful business doing this and has the majority of the PCB repair in the nation. He knows his way around the registry, he can troubleshoot software and hardware issues. He can fix darn near any electronic device.

And it STILL took me 2 years to wean him off IE.

Re:Why??

[assassinator42]

They'll have to get used to tabs anyhow, when IE7 comes out.

Re:Why??

I have to use IE at work, because scrabble on games.com never works right in Firefox.

Re:Why??

[walt-sjc]

My father-in-law is another just like that. Imagine a guy that worked for 20 years at Digital (sales) and loses his 3-pane view in OE. Needs help getting it back. Said his speakers didn't work, found they were plugged into the mic jack. The guy is 70, so it's somewhat understandable, but it's amazing how many 30 year olds are like that too.

My help-desk employees never fail to inform me of the latest escapades from the "famous five" users that just can't seem to grasp the basics and cause 70% of all the helpdesk calls. Unfortunately, it's viable from a business perspective to damn near dedicate a low-level help desk person to help these people rather than just fire them for incompetance (not having the skills needed to do the job.) These people are NOT trainable. They never learn from mistakes.

The common computer user is lucky enough to have the basic skills to surf the net at all, and send email. Installing firefox is WAY over the top, no matter how easy. It's also "unintersting". They have better things to do, and IE DOES work - well enough anyway.

Re:Why??

Believe it or not, telling me to "get a clue" is not going to make me want to switch, jerk.

I use IE because it works well and does not have as large a memory footprint as Firefox. I don't visit "risky" sites and have not had a piece of spyware since ME. I have never been the victim of a phishing attack. Frankly unless google or slashdot or cibc decide they want to exploit this new bug and screw me, I am not too scared.

Re:Why??

[micler]

Fundamentally, the problem is that most users don't see computers as something to configure, they see it as a tool to use.

I have a school teacher who knows nothing about computers. She does email, since people have come to expect that of her, but I'm positive she doesn't know what a browser is. When people like her hear of Firefox as a browser, they think it is something that is too difficult to figure out. When they hear of it as something that magically protects you from malware, they think it's too good to be true. They simply think that malware and spam and so on are they price you pay for using the internet. And with her, she has decided that it--viruses, spam, identity theft, and even the belief that there is no useful information out there-- is just not worth it, and thus will remain uneducated about it.

Re:Why??

Well, anyone who invests in a tool and doesn't use it to its full potential and take care of it is less than smart.

People put gas in their cars and have the oil checked, people close their fridge door and adjust the temperate, people stop the damn clock from flashing on their VCR. Laziness is not an excuse.

Re:Why??

"Many of the don't even know what a "browser" is. They call it "The Internet"."

Word

Re:Why??

[aplusjimages]

I worked at a place that used Microsoft Projects, which only works properly in IE. I tried using it in FireFox and it loses some of the functionality.

Re:Why??

[rowanwise]

I hate to say it because I love the look and feel of firefox, BUT has anyone considered what the press has said about firefox in the past? Last year, firefox was all over the press due to it security flaws. Now the average Joe User is gonna prefer IE (with it's consistant vulnerability patches) over some new browser that might have security patches. Microsoft makes it extremely easy by simply downloading and installing security and it's all automatic! No mess, no fuss!

Re:Why??

[RedOregon]

I just tried it in FF 1.5.0.1 with the IE Tab extension. It opened one tab with Google in it, then another tab with their page in it. Interesting.

Re:Why??

[cunts]

Actually, you might be surprised at how few people give a shit about it. I'm quite regularly amazed. Trouble is, there are so many users out there who barely understand what a browser is, they just think that teh interwebs is something their computer 'does'.

For example, today in work I was trying to demonstrate the OSS project management system that I've set up at the client, which is quite a large retailer, to their IT project manager. First I had to point him to the blue 'e' icon on his desktop because he didn't understand the terms 'web browser' or even 'Internet Explorer', and then when he opened it he wasn't sure where to type the new address (no wonder he has dozens of bookmarks, then). When he finally figured it out, he said he still couldn't access the site and turned out he was putting "www." in front of the IP address that I was calling out to him. And he's been working in an IT department for the past 20 years. Try explaining about FF to someone like that.

Re:Why??

[pyser]

since over 97% of hits to my site have been from slashdot that isn't so unusual, I was suprised to see that 98% of visitors used windows.

Well, I read /. at work, mostly, and I have to use a Windows machine.

Re:Why??

[Nazo-San]

My father is similar. He has built systems for each of us in the past until I knew enough to build my own. He got a computer engineer degree way back when and started out at least playing around with home systems like those little atari PC-type things that used basic. Later on DOS and such with tools such as Lotus for obvious reasons.

Despite having spent more than a decade and a half on systems, even starting out before mice were even conceived of, he is not a completely mouse oriented person who doesn't know even simple keyboard shortcuts like CTRL+S. He works extensively with MS products like .NET, was the first to switch to NT among us (I had hardware issues for the longest time even with Win2K and liked 98SE better since it was more suitable to gaming/etc) and he hasn't even so much as dabbled in some live linux distro where you almost can't screw up (at least, so long as you don't do some moron stunt like dd if=/dev/zero of=/dev/hda or something... But, lol, you deserve what you get then.) This is a computer engineer user who had to start out knowing how to design curcuits and even build his own PC and having to write stuff like machine code. He WILL NOT consider alternatives to IE, Outlook, and other such tools. To my knowledge he has never even attempted another. I constantly tell him how great Opera is (and now that it's 100% free with no ads there's not any excuse not to at least try it anymore) and that Firefox with it's extentions is pretty neat as well, but, he won't even try them.

If we can't convert people like him, how in the heck are we going to convert people like Mr Average Joe Farmer who doesn't have the vaguest idea how to actually install another browser? They don't want to be bothered with having to do such things.

I have managed to convert my grandmother to Opera though. I had my aunt, but, a while back there was trouble with a really important site and she ended up using IE. I can't seem to get her back now that Opera is compatible with even most of IE's proprietary crap and can fool braindead servers into thinking it is IE so they won't refuse to work anymore. I think I've managed to almost force my mother to switch to Firefox because there were problems with IE (surprise surprise.) I'm working as hard as I can, but, when I step into the computer labs at my school, I see some of the people there using IE, I still can't convert my dad, and, among those people who know even less about things like web browsers I haven't managed to reach anyone but my grandmother.

Someone needs to run an ad campaign for Opera or something. Actually, come to think of it, my first thought was that the opensource Mozilla wouldn't have enough money for marketing, but, then again, considering how much they just donated to a good cause I wonder about that. Right now they rely a bit more than I like on word of mouth (well, ok, Opera is well known in the mobile segment, so many mobile users who enjoy having a browser that runs about as smoothly as you're going to get on a mobile device would be aware of the PC browser perhaps.) Then again, I guess the question is, can you get Average Joe to understand and care that IE is secretly installing backdoors on their system and sending all of their credit card info to some thirteen year old in New Jersey with too much free time? So far they just don't understand and keep on using it.

Re:Why??

[Xerp]

I often download the internet and put it onto someones hard disk for them.

I still have people calling their computer the "hard disk". People who know nothing are still trying to sound vaguely competant by saying "my hard disk is broken". Of course, saying this to someone with 1 point more tech-savvy than then just ends up confusing the poor person... as they actually believe the person.

So. Whats the easiest way to get these technophobes to switch to firefox? Lets see... make it as a flashy banner ad, spyware-style and they'll install it no time!! ^^

Re:Why??

[Richthofen80]

BUT has anyone considered what the press has said about firefox in the past? Last year, firefox was all over the press due to it security flaws.

I am a big microsoft fan, but I think you're viewpoint is misguided. Before the round of patches two years ago, IE was a spyware and malware magnet. I didn't even know what a hijacked browser was until I saw the shit my mom's computer had on it. It was a nightmare to fix. I hid all IE icons and installed firefox, and changed its default icon, and most of the problems went away. IE is pretty close to being better, but my mom and hundreds like her were screwed by malware due to IE.

Firefox took about 1/1000th the hit IE has in the last few years. Did IE get fixed? Yeah. But bad memories remain.

Firefox , IMHO, is something that the OSS community got RIGHT. People can switch between IE and Firefox without knowing the difference. That's the Idea. There aren't a lot of Linux Distros or other software programs like that.

Re:Why??

2) They don't want to take the time. It takes like 10 minutes to download Firefox, then time to install, and then they have to set it as the default browser, and change shortcuts, and then get all their bookmarks and passwords and everything into Firefox, so it is honestly not a 3 minute process, more like 30 minutes, and more if you take into account getting the right extensions, like ad-block and flashblock and noscript

It takes more time than that. My IE security was/is set via the zones which Firefox does not natively support. Even if it did, there are still ~100 or so sites in the trusted zone. There are many quirks in FF due to the lack of built-in security features. No comment on whether FF is secure. Further there is learning to config things in "about:config" which is somewhat hidded compared to IE's Internet Options. Furthermore, any self-respecting human does not need "flashblock" because they do not have flash (and avoid this .swf "problem").

I use FF but hate the fricking FF lovers.

Re:Why??

[BattleApple]

ctrl-left-click will open a link in a new tab behind the current tab - nice when you're reading an article and want to read certain links later.
If you have bookmarks grouped in folders, the sub menu for that folder will have an option "open in tabs" which will open all bookmarks in that group in seperate tabs.

shift-click will open a link in a new window

Re:Why??

[advs89]

Ever heard of a Least Common Denominator, 'cause thats what it is. Web developers typically write their html for it, because if it renders correctly in IE, it will most likely render correctly in other browsers. Not necessarily the other way around. Actually, on second thought, disregard everything I just said... i have no idea what i'm talking about.

Re:Why??

[CDarklock]

> Why are people still using IE, even
> the most uneducated users must have
> heard of alternative browsers by now.

I have very little difficulty with most of these "bugs" that get reported. They don't happen to me. The OSS devotees with whom I am acquainted are frequently claiming I lead some kind of charmed life.

The fact is, most people do not practice secure browsing habits, which is a problem in ANY browser. There is nothing on the planet that can protect you from clicking a link to sucker.we-steal-your-money.com if you're stupid enough to do it. IE gives me more than enough ability to determine where this link really leads, and since I check the link before clicking it, I don't click those links. The idea that OSS advocates consider this some sort of abnormal magical protection is truly frightening.

So why do I use IE? Because security is a process, not a product. I use IE safely. Other browsers often try to "protect" me by concealing the information I could use to make my own decision, making the decision for me instead. Some products actively prevent me from making my own decision, deliberately overriding my requests because they simply can't believe I might actually *want* to do what I said. This isn't security, it's infantilism. You can keep it. I'll use something that does what I tell it, even when it thinks I'm crazy. Like IE.

Once upon a time, we used to say "UNIX doesn't stop you from doing stupid things, because that would stop you from doing clever things". We criticised Windows for preventing the user from doing clever things. Microsoft listened, and changed their stance significantly. So now we're criticising Windows for letting you do stupid things. How ironic.

Re:Why??

[narkalepse]

Another reason: non-admin users in a large corporation whos request for alternatives are denied. I am one of those.
At home I use firefox and opera under Ubuntu.
At work I am forced to use IE under WinXP.
On the plus side, if the work PC gets slammed I am less likely to care. It would benefeit the IT department most if this company used a more secure browser than IE. It is hard to change culture, impossible to change corporate culture.

Re:Why??

[Nazo-San]

Well, you're kind of mistaken. Firstly, people WON'T stop that blinking (remember, we're talking about a majority, not just us slashdotters with more technical knowledge, and I see more blinking than non-blinking.) They don't understand how to set up the clock and despite the convenience of having a timed recording, they don't WANT to. Oh, and you have to factor out the newer VCRs that set themselves (albiet usually set to the wrong timezone or ignoring the correct DST setting.) Similarly, you'd be surprised how many just let the mileage pile up when the sticker says it's past time to get that oil change. I can't speak for the refridgerator though I've had the impression that people don't since they often are keeping things too cool with ice forming. The closing of the door and filling of the gas (and similarly the plugging in the VCR) are all more immediate quick solutions to obvious immediate problems, but, the light blinking, the milage going way over that sticker, and the refridgerator forming a few icecycles in the back are all quite common things to find.

The first inclination is to think "oh, I just invested very heavily into this expensive machine, well, I darned well had best get it working and take care of it then." This is, in fact, wrong. The natural human inclination is incorrect here. In fact, what you should do is constantly reevaluate. Is it a more efficient and perhaps cheaper overall solution to go ahead and buy a new car, or is it better to keep repairing your clunker that takes about 10 tries to start on the days it feels like starting at all? Should you maybe give up on that old super-hq VCR you spent oodles of money on that looses its settings if you so much as look at it funny and get a TiVo which phones in and gets the info online? Should you trade your refridgerator with the door that leaks forcing you to raise the temperature so high that you know icycles form in the back just to keep it from keeping the food at the front too warm for maybe one of those nice new GE or whatever fridges promising amazingly efficient usage of power, easy use doors, and even a little special drawer just for keeping fresh foods extra fresh for longer? Heck, it's natural to want to hold on to your bad investment and try to make it work -- and heck, sometimes you can actually make it truly shine and come out better than the others for some particular task or other. Nonetheless, the smart thing to do is sell that bad investment if you can, dump it if you can't and get the nice efficient new thing that can outdo the old.

Unfortunately, the natural reaction wins out most of the time even in the business world where people know better. Kind of a human factor sort of thing here to deal with.

PS. Why is it that maybe 1/100 of the VCRs out there uses the absolutely ancient technology of storing data on memory backed up by a batery with a clock run similarly, yet, computers have been doing this since the 80s if not sooner? And in this day you can make it even easier by using, say 1 kilobyte of flash memory (because, if you think about it, all the VCR settings combined take very very little memory total) and not even have to back it up via battery. So you need a less powerful battery to keep it from loosing its settings if the power blinks for such a short period of time that my computer's PSU manages to smooth it out and keep the PC from rebooting (I can't afford a UPS powerful enough to handle my system.) Bah, I have to finish getting my HTPC up and able to record, you need a DVR not a VCR these days.

Re:Why??

[jp10558]

Firefox by default doesn't have tabs ...?

Re:Why??

[InvisibleSoul]

Well, I do IT support work and have fixed dozens of computers plagued with malware... but I still personally choose to use Internet Explorer 6. I've tried Firefox and Opera, and frankly I just didn't like them as much, and also don't have a reason to switch. I actually even tried IE 7 Beta 1 and didn't like that either. One, I'm confident enough that I won't fall victim to malware, and two, even if I somehow did get malware automatically installed on my machine, I'm confident that I can get rid of it.

Oh, and can you believe Cisco's new Content Services Switch CSS11501 has a web based GUI that will only work with IE still?!

Re:Why??

[SkjeggApe]

Did you try the POC exploit in TFA? The whole point of it is that you see a javascript link that doesn't say "hahahahURmine()", but "externalLink()" or something like it (which doesn't appear to be alarming), and the page you end up on, says www.google.com in the url bar, but you are NOT on google.com, but on usgovernementwantsyoursearchqueries.com and now all your queries belong to US.

Re:Why??

[mmmiiikkkeee]

The average (I don't want to say idiot) user simply doesn't think or know about other browsers. // glad u did'nt say idiot here; one component of the promlem(and yes it is a problem) people are ingorent about these things; i remember the first time i saw fire-fox; i was in a cs class in highskool, my teacher showed it to me; showed how it did what IE did; i was like so what??? i did not get it... to me it was the exact same tool; it had some shinny plug-in crap... my first though great and why in the hell do i need this.. i am alreay use-to one thing; i shruged it off as nothing new(like how there are 20 million differnt kinda of programs to play ur music, and i could care less wich one did it as long as it worked)... later i learned more about how IE sucks.. about how people i knew where getting malware on there computers...i shruged this off too i was always carefull where i clicked and what sites i when to.. i figured(at the time) people with mal ware were just going to risky sites... or doing so with out changeing there security settings...i think it was when i started to surf porn that i realized more that IE sucks; i was responsable noob turned all my ie serurity setting to there max and when on my way... this was great for a while... then i noticed some small strange settign were chaged with out my say... it was abvios IE was exploited and that was how these this went amiss.. i did not get any pop-up no known proz running in th back ground... jsut a few setting changed and i noticed while using my compuer it was annoiing... at the point i did not know of any alternitives; i had long forgotten about fire-fox i had seen only once in its early states; so i ived with the anoinces... later my sister bf told me to try fire-fox; i about sruged him off again but this time i gave it a go... it did not do any thing for me fatture wise really that was too cool but i felt safer with it. and franky after seeing some of computers others i know have and all there mal-ware crap i decided to stick with it. now i am easing my way in to linux...and firefox on linux is the only place i feel safe to browse my porn; for people that dont hear about ie expliots and dont browse porn i cna image then to see no reaon to use firefox other then tabed browsing(wich is just shinny and peopel jsut wnat thing to work in the end) since for most ie is default that almost is like standrd to them; sad;

Re:Why??

[sl4shd0rk]

Most people just don't care what browsering they're using.

Actually, what I've found is that taking the time to explain to people what spyware is, how the popups get there, why they have 1300 infections, and that there is something they *can* do to minimize their risk, they are all for the idea.

The do not tend to respond well to: "Ditch that windows IE bullshit retard. go get firefox. what's your fucking problem?".

Re:Why??

Ten minutes to download maybe (though more like 2 on a half-decent broadband connection), then click install. Couple of "where'd you like this" and "yes, I'm OK with the licence" clicks, and about 20s to install. Run it. Click "Yes, I'd like to make this default" and "yes, import my bookmarks and stuff". Done. Total time to complete: about 30-40s plus download time.
Setting up a prettier theme and some extensions to actually make it worth using may take a little longer...

I agree, though - Joe Average can't be bothered and doesn't see the point.

Re:Why??

[ChristW]

[E]xcept for at work, where we have a couple of IE-only apps.

There's also the Active-X plugin for FireFox, which also works with third-party OCXs. All you need to do is add the Class IDs to Firefox\defaults\prefs\activex.js. Hope this helps!

Re:Why??

[master_p]

Most people do not know about Firefox of other browsers. Most people do not even know what a browser is. The think of the blue IE icon as "the internet". Most people remember the things they did ("I wrote this and this letter, I saw this and this on the internet, I sent this email etc" but they do not have a clue about what programs they used, how computers operate, etc.

As a responsible programmer, I help people in our company replace IE with Firefox. It is quite funny to hear the responses of people. Some have been trained so well to hide windows with undesirable content (p0rn sites, hacking adverts etc) that somehow was downloaded illegally to their computer: they click the close button in the windows so fast that the window does not seem to be there! And of course Spybot and Adware have a party in their machines...

Re:Why??

[mu22le]

1) A lot of users only know how IE does things. It could be scary to have to deal with a different layout, or a different set of commands, or a different method of bookmarking or whatever.

A lot of people think ie IS internet

Re:Why??

[Fred_A]

For some reason some people just don't get it. I fixed a friend's machine about a year ago (viruses, spyware, etc. as best I could) then installed Firefox with a couple extensions to make it more comfortable. Showed him how to use it, showed him why, removed the IE shortcuts.

Next time I came by, he had gone to the habit of starting IE through the file explorer. No real reason. It didn't work any better or anything. He didn't really know why.

The machine was hosed again. I left it that way.

Re:Why??

[Fred_A]

Some users should just stick to a notebook and a pencil, they're not worth the effort. :-/

I know a lot of people who have given up on some relatives who just don't "get" computers. Apparently they actively refuse to make the effort. They are typically brilliant people, capable of learning pretty much anything fairly fast, except that.

Currently computers are complicated, until we get some kind of AI working they *will* require some learning to use. Just like any other tool. However just using them (as opposed to running them, programming them or making them) doesn't require that much work. And saves a lot of time pretty fast.

Ah well, I still show people how to focus their 3 year old compact digital camera (press the button halfway) or how to set the flash (press the button with a lightning). I'm amazed they manage to turn their TV on or listen to a CD.

And to get back to the subject at hand, they'll never ever change their browser unless you remove every single trace of the previous one from their machine for them.

Re:Why??

[CDarklock]

> Did you try the POC exploit in TFA?

Yes, and it works in IE7 too.

> The whole point of it is that you see a javascript link

You don't find JavaScript links immediately suspicious?

Test I can try?

[stunt_penguin]

1. Look up in top left hand corner of browser.
2. If icon is a blue 'e' then you're vulnerable.

That is all.

/ms troll

Re:Test I can try?

[jammindice]

Not even the beta IE 7 i have is working right, thank god firefox tested good, otherwise i might have to switch to lynx!!!

Re:Test I can try?

This is an ironic topic.

Re:Test I can try?

Interestingly enough, firefox flashed the google address - and Google's page - before going back to secunia. And Konqueror just went to www.google.com (default policy blocked the popup window from secunia)

Re:Test I can try?

[bhtooefr]

Opera flashed the Google page, then displayed an SWF saying "Secunia", then loaded the Secunia page. URLs remained correct.

IE 6 (XPSP2) flashed Google, then loaded the Secunia page. Again, URLs remained correct...

Re:Test I can try?

[pixelpusher220]

IE6 XPSP2 does not maintain the URLs correctly. Fully patched corporate 'puter here and it fails the test. I get the Secunia flash but still with google in the address bar. It's slow as dirt, meaning I can clearly see the switch over, but if a true phish site looked reasonably close you wouldn't likely notice. Firefox 1.5.0.1 works correctly.

Just load Maxthon!

[KennyP]

And IE doesn't have that flaw anymore.

My Address bar showed Google, and the page displayed was Google.

Done and done!

Visualize Whirled P.'s

Re:Just load Maxthon!

Yep, I can confirm. Same behavior here. Loads Google, shows Google. I'd test with vanilla IE, but... eh. I don't even know if I have the executable still around, and I'm too lazy to find it if I do.

Wonderful

This is great news. Now I have one more thing to show my firefox sceptics.

Bug fixed in IE7b2

[LocalH]

I just tested it in IE7b2 and got the correct results, showing the Secunia URL and not Google's.

Re:Bug fixed in IE7b2

[Krach42]

I just checked in IE6, and I thought that the bug was gone, but it just turns out that if you don't stay in the window, it doesn't work. If the window loses focus, then the test will fail, even inside a vulnerable IE window.

I retested keeping focus in the window, and confirmed the bug.

Re:Bug fixed in IE7b2

"The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP1/SP2. The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (March edition). Other versions may also be affected."

http://secunia.com/advisories/19521/

Re:Bug fixed in IE7b2

[LocalH]

I stand corrected - I just did the same as you and found the vulnerability is present.

Re:Bug fixed in IE7b2

[NeoThermic]

You can also fix this in IE6. Go to Tools -> Options, click the security tab, then click on 'Custom Level'

Scroll down until you find 'Navigate sub-frames across diffrent domains'; set it to prompt or disable.

The test fails if you set it to disable, and it will ask you if its allowed (to exploit you) if you set it to prompt.

NeoThermic

Re:Bug fixed in IE7b2

[Jonathan_S]

I tried with IE6 and I didn't experience the bug. When I hovered over the test link IE identified it as javascript:StartTest(); and when I clicked on it nothing happened.

Of course, that is because I have javascript disabled for the Internet Zone. Amazing how many attacks that renders ineffective. (And also amazing how many websites use javascript for silly things like selecting the next page).

Re:Bug fixed in IE7b2

[walt-sjc]

The NoScript FF plugin allows selective use of javascript without messing with "security zones." Quite nice actually. Default deny, and partially allow as needed.

Re:Bug fixed in IE7b2

[MCraigW]

then the test will fail, even inside a vulnerable IE window

I found that you need to run IE at the Administrator level for the test to show the vulnerability. I generally use DropMyRights when running IE (the only browser permitted here at work), and the vulnerability didn't show up until I ran IE at Administrator level.

Re:Bug fixed in IE7b2

[assassinator42]

Is there any Firfox extension that allows you to have javascript on by default and select sites you don't want to be able to script? Or have a tab in which javascript isn't allowed? I believe there was some tab extension that allowed you to supposedly disable images and maybe scripting, but it didn't really work.

Re:Bug fixed in IE7b2

>You can also fix this in IE6. Go to Tools -> Options,
>click the security tab, then click on 'Custom Level'

>Scroll down until you find 'Navigate sub-frames across
>diffrent domains'; set it to prompt or disable.

>The test fails if you set it to disable, and it will ask
>you if its allowed (to exploit you) if you set it to prompt.

NOPE. I tried this (both ways; disable and prompt) on Win IE6 running on Win2k. Didn't work; the exploit still succeeded either way.

Re:Bug fixed in IE7b2

...and I just tested in IE7 Beta 2 (7.0.5296.0) and confirmed I was vulnerable to the exploit.

In other news

Water is wet.

huh

this is not news..its bound to happen sooner or later..its IE

Re:huh

Just like any flaw in FireFox or any other browser is bound to happen. Even if you close a door and lock it a robbery is bound to happen.

People are idiots for falling for the phishing e-mails in the first place before clicking on the links.

Does not work on IE 6.0.2800.1106 on Win2K

[fatboy]

Is this a bug in XP or something?

Re:Does not work on IE 6.0.2800.1106 on Win2K

[Riddlefox]

Just tested on IE 6.0.2900 ... on XP, and the flaw does not work. I see the Secunia site, with a Secunia address bar. Even have active scripting turned on.

Re:Does not work on IE 6.0.2800.1106 on Win2K

[LunaticTippy]

Bug works just fine on my XP2 IE IE 6.0.2800.2180. Glad I don't use IE, that's frickin scary.

Re:Does not work on IE 6.0.2800.1106 on Win2K

[charlesnw]

No you didn't. Your lying. Go away now please.

Firefox

I just went there through Firefox (ver 1.5.0.1) and got the same result as if I went through IE. This doesn't sit well with me.

Re:Firefox

[ZachPruckowski]

really? I just did it in a build optimized for my G4 on my iBook, and the google address came up for a second then went to the right Secunia web address, which is the correct behavior.

Deerpark G4, Mac OS 10.4.5 Had to disable noscript in order to do the test though. I did have adblock and flashblock still on.

Re:Firefox

[chill]

I just went there through Firefox (ver 1.5.0.1) and got the same result as if I went through IE. This doesn't sit well with me.

Funny, I didn't. I did get an "open this with..." dialog for a Flash file, which I ignored, so that could be it.

Re:Firefox

[ZachPruckowski]

I have the flash-player extension or something, so it gave a flash-icon (click to play) for a second, then switched to just the Secunia text, so either it auto-executed (annoying, but not troubling), or it didn't play the flash.

Re:Firefox

[ZachPruckowski]

Further review indicates that the script opens Google, redirects or opens another secunia page, then goes to the test page with the text, and the intermediary page has some Flash on it, which displays a big red-on-grey "Secunia" sign.

Re:Firefox

[assassinator42]

I got the thing that said "Secunia". No google.com popup like IE, and the final page had the right address, unlike the "google.com" in IE. You're saying the final page showed up as "google.com" in the address bar in Firefox?

Re:Firefox

[Kilz]

The test isnt if the pages change. The test is if http://www.google.com/ stays in the address bar even if the pages change.

Confirmed vulnerable

[paulproteus]

I tested this attack in Internet Explorer 6 on Ubuntu 5.10 running the current Wine deb from winehq.

Re:Confirmed vulnerable

I use Mozilla normally but decided to try it with my copy of IE and it didn't work. IE6 w/ WinXP SP2, at least my copy, is not vulnerable.

Re:Confirmed vulnerable

[astrosmash]

That's cute.

Re:Confirmed vulnerable

[JabberWokky]

Heh. Same here, using the (k)Ubuntu current deb. The exploit works fine. It doesn't in Konqueror, for what it's worth.

I kind of which there was a way to change the location bar within the domain -- or at least give a dynamic "bookmark" url. That way AJAX and framed content could change the url based on what was being displayed so that the user could bookmark and come back to something inside the site.

--
Evan

Re:Confirmed vulnerable

[dubbreak]

I just tried IE6 on win xp 64, the 32 bit version was vunerable the 64 bit version of IE was not.

Re:Confirmed vulnerable

[BerkeleyDude]

Weird... I just tried IE 6 on Gentoo, with Wine 0.9.11 - nothing. When I click the link, it just opens an empty window.

Re:Confirmed vulnerable

LOL! ur sooooooo cooool. (ubuntu is for fags, get a real distro)

Re:Confirmed vulnerable

[jgoemat]

How do you have your javascript locked down? I have IE version 6.0.2900.2180.xpsp_sp2_gdr.050301-1519 running on XP Pro SP2 and it is definitely vulnerable.

IE versions

[cpearson]

Which versions of IE does the flaw effect. No problem here with 6.0

Montana News RSS Reader

Re:IE versions

[lifeisgreat]

It didn't do anything to IE 5.0 either. I never bothered to update IE on this w2k box, it seems most new vulnerabilities are 6.x-specific.

Re:IE versions

[matth]

I hope that was a joke, because if you didn't upgrade to IE 6.0+ you have no updates installed on your box!

Re:IE versions

[Reziac]

At the Win2K tech info tour, M$ handed out an IE5 CD that they told us was the Win2K team's internal version, rewhacked to suit themselves. The exact version number is 5.00.2314.1003c. It seems to lack a lot of the problems and vulnerabilities seen in other versions.

At any rate, I just tested it, and it did display the correct address, tho it couldn't see any of the web page itself other than a whopping big "SECUNIA" banner.

I also tested Netscape 3.04 and Mozilla 1.5, and neither was vulnerable. NS3 did briefly show google.com in the address bar, but corrected itself before displaying the actual page. Then both showed the explanation:
==============
Your browser is vulnerable if the Address Bar displays "http://www.google.com/".

Please note. This could easily have been a page looking like the genuine "Google" web site (or any other web site) asking for your login credentials, credit card details, etc.

This is only limited by the imagination of the attacker (phisher).
==================
which is the part that IE5 couldn't see.

http://secunia.com/Internet_Explorer_Address_Bar_S poofing_Vulnerability_Test/ crashed Netscape 4.5 outright (that's typically caused by bad javascript), so I couldn't test it.

Re:IE versions

[operagost]

That's not true. I still had 5.x on my W2K server until a few months ago. I think I was using Automatic Updates to get my patches.

Re:IE versions

[matth]

Not possible. AU does not work until you have upgraded to version 6.0+ and on XP you have to validate your windows XP install.

Your Slashdot Login Information

[eno2001]

Warning. Your Slashdot login information may have been compromised by a sly fox. To ensure greater security please reply to this comment with your current UID and password and the new password you want. I'll be sure to forward it off to CmdrTaco as soon as I see a response.

Thanks,
Internet Security Sheriff

Re:Your Slashdot Login Information

[Communal+Account]

Username - Communal Account Password - kFhthALQ I hope this helps.

Re:Your Slashdot Login Information

My uid is NULL
and my passwd is NULL
I'd like to have "banana1" as my new password.
Good day to you sir!

Yours truly,
Anonymous Coward

Re:Your Slashdot Login Information

[RandomPrecision]

Oh noes!

RandomPrecision, UID (911416), Password "slooflirpa".

Thanks, man.

Re:Your Slashdot Login Information

Anonymous Coward

********

Re:Your Slashdot Login Information

Login: Zonk
pass: gheymanluv

Re:Your Slashdot Login Information

[JamesTRexx]

You forgot to mention the new password...

Re:Your Slashdot Login Information

My username is eno2001, UID 527078. Stop haxoring me!!!

Re:Your Slashdot Login Information

[RandomPrecision]

True. I'll just have my old one reversed, I suppose.

Re:Your Slashdot Login Information

[Cro+Magnon]

ID: Cro Magnon

Password: ********

Re:Your Slashdot Login Information

[eno2001]

Aha. A sly fox makes an appearance. The hunt is on "Mr. Haxor".

C'mon Slashdot

It's no longer news. Seriously.

Not new. Not news.

It's olds.

Bill's whiteboard

[Anisty]

Maybe Steve won't let Bill have his shiny digital whiteboard until he fixes IE?

Unlucky Bill, think you'll have a sparse christmas this year :/

Yeah, New Flaw in OLD VERSION maybe

[jafiwam]

Used the test, doesn't work for me. I see the proper URL.

Haven't patched in a month or so.

So... if this flaw exists, it's a fairly old version that has it.

Does this work with SSL sites too?

[XorNand]

The proof of concept would have been more interesting if redirected me to https://www.google.com/ rather than http://www.google.com./ Does it work with a SSL connection?

Even if it does, it only forwards a person once. If I were to click on a link, the address bar would immediately change to the real domain.

Re:Does this work with SSL sites too?

[Krach42]

If I were to click on a link, the address bar would immediately change to the real domain.

It only takes one click to send my login and password to a phisher.

Re:Does this work with SSL sites too?

[gnud]

And after the form was submitted, they could pull the same trick again, displaying a "thank you"-page. And then link to the correct domain from there.

Re:Does this work with SSL sites too?

[bcmm]

Would that matter if the page was a login screen?

Re:Does this work with SSL sites too?

[Amouth]

i just modified the code and tested it it will work with https.. It shows

https://www.google.com/ in the address bar BUT does not use ssl you do not get the lock in IE.. and also if you try and use it with a domain other than the one the link is on it causes a full redirect and you get the right adress in the bar same happens if you try it on a site that is using ssl

Re:Does this work with SSL sites too?

Any address could be put in the address bar, doesnt even have to be a valid URL. And if each new link also had the exploit script then they could keep spoofing the address bar.

Here is somthing to show to Linux and Be skeptics.

I was looking for pictures of dandelions and found a picture of San Francisco Queer Long-hairs (a website on just that topic of frolicking adulterated men), whereas two of those weirdos have either a LINUX or a BeOS shirt: here.

Say no to Quaker gOatse(s).

This is new HOW???

I'm pretty damned sure we've seen this exploit before on IE. IIRC, wasn't it something that m$ inserted into IE intentionally for their authentication or something?

even when this gets fixed....

[joe+155]

...phishing is still going to be a serious problem... although the bar is important for users it shouldn't be the only source that they look for to see if a site is authentic, it should be based on all the factors which can give some inclination that the site is either legitimate or not and we need to create a culture where people look with caution on websites. See the register article on this topic with an interesting article on how people deal with these website http://www.theregister.co.uk/2006/03/31/phishing_s tudy/... worryingly the amount of time spent on a computer doesn't seem to have any effect on how much at risk people are.

this should also serve as a reminder that people who get fooled with this aren't just stupid fools who don't know what a computer is.

Re:even when this gets fixed....

[shokk]

I agree. My default behavior with any browser, Firefox or IE, is to never visit important sites (anything financial related) on a click-through. That's what the address bar at the top is for. I swear Firefox users are as smug as OSX users. One day, one new vulnerability is going to tear one as wide as the Goat.se.

Corporate Policy

[Valdrax]

I have to use Explorer at work. A defect tracking system and a time tracking system at work both refuse connections from anything that doesn't identify itself as Explorer, and one of them (I can't remember which) doesn't work if you set up Firefox to pretend to be Explorer.

So, I use Avant -- a wrapper around Explorer that gives multiple tabs and can block ads & pop-ups. It seem invulnerable to this bug, incidentally. Supposedly Netscape 7 can use Explorer for certain websites and the Mozilla rendering engine for others, but I couldn't figure out how to get to work exactly how I wanted, so I punted. I've been pretty happy with Avant since then, but I prefer Firefox for home.

Re:Corporate Policy

[50m31sl4sh.]

Have you tried this?

http://ietab.mozdev.org/

Re:Corporate Policy

[gnud]

Supposedly Netscape 7 can use Explorer for certain websites and the Mozilla rendering engine for others[...]
IE Tab offers that functionanlity as a FF plugin.

Re:Corporate Policy

Maxthon, another IE shell, doesn't seem that vulnerable. With default settings, only the google page opened.
With AdHunter Disabled (namely the auto popup blocker bit) , 3 tabs opened: google, and moments later the two secunia pages.
Only after unticking 'Ignore window ID assignment' in Options did all 3 load in the same tab.

Re:Corporate Policy

[njchick]

Then list the defect tracking system in itself.

Re:Corporate Policy

Dictionary Definition 1.01

Corporate Policy (n):
1. We are right and you are wrong, always.
2. We will shove our preferences down your throat.
3. Thank you sir! May I have another?!

Re:Corporate Policy

[Nosklo]

both refuse connections from anything that doesn't identify itself as Explorer

Maybe you should try User Agent Switcher extension. Then your firefox will identify itself as IE. I use it all the time to navigate to sites which block non-IE browsers.

Re:Corporate Policy

[Valdrax]

Did you miss the clause that followed the bit you quoted:
and one of them (I can't remember which) doesn't work if you set up Firefox to pretend to be Explorer.

How do you think I did that?

Re:Corporate Policy

[duerra]

Have you ever tried Maxthon? It is easily the best IE replacement on the market, in my mind. I like it better than Firefox, Opera, or anything else I have tried. I have tried Avant as well, but it seems Maxthon is more full featured and less buggy. There's lots of plugins and stuff for it as well, though the only one I really use is a "find" plugin to replace the crappy default IE one (this one works similar to how FF's find works).

Re:Corporate Policy

[Fred_A]

Since this is /. obviously you edited the source and recompiled Firefox.

Either that or there's been a serious lapse of standards on this website...

Re:Corporate Policy

[ttldkns]

you have to bear in mind, though, that maxathon isnt technically a replacement for IE, just a pretty shell within which IE runs.

The following versions are affected:

[Quince+alPillan]

According to the advisory linked in the article:

The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP1/SP2. The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (March edition). Other versions may also be affected.

But I'm running IE6 on XP SP2 fully patched and I'm not vulnerable to their test. Since this involves macromedia flash, I'm assuming this is mixed with a bug in flash or else something else besides IE alone is causing this bug.

Re:The following versions are affected:

[Mostly+a+lurker]

As I understand it, there is a timing component to the flaw and I could imagine you not being vulnerable if the SWF file is too small or you have an extremely fast Internet connection.

Ga!

[MightyMartian]

New Phishing Flaw in Internet Explorer

I'm shocked, I tell you, I'm shocked!

Re:Ga!

[madnuke]

It dosnt work in Firefox :P so much for browser compatiabilty.

Doesn't work on IE 6.0.2900.2180.xpsp_sp2_gdr...

[ThinkFr33ly]

Tried it on XP using IE 6.0.2900.2180.xpsp_sp2_gdr.050301-1519. (Update versions SP2, 3283) and it showed the correct URL.

My XP machine is fully patched.

Did somebody jump the gun over at Secunia?

Latest and 'greatest' not vulnerable...

[Assmasher]

...surprisingly.

One nice thing about Mozilla is that you can easily disseminate who is or is not vulnerable based upon a simple to understand version number. Not so with IE.

Re:Latest and 'greatest' not vulnerable...

[Haeleth]

One nice thing about Mozilla is that you can easily disseminate who is or is not vulnerable based upon a simple to understand version number.

As long as the vulnerability is always present, not triggered by individual extensions. And except for all the people using nightlies, and unofficial builds. And for flaws in Gecko, you have a different "simple" version number for every single Gecko browser - Firefox, Seamonkey, Galeon, Camino, and all the others that I've forgotten.

Sorry, but while Mozilla et al. have many advantages, simplicity of identifying which users are at risk from any given flaw is not one of them.

Re:Latest and 'greatest' not vulnerable...

[Assmasher]

Sorry but I disagree. ANY numbering scheme is better than discerning what is or isn't installed on your XP machine for IE or any other code point.

Which Version?

[kid-noodle]

Judging from my own quick go on the test as well as the /. comments, the advisory that this affects 6.x versions is wrong. It would be more useful if there was information on which 6.x versions it affects - is this an issue intoduced in a recent patch, or is it pre-whatever versions only? (And an undetermined number of IE7 versions)

Is this related to the flash player version?

More data needed!

Re:Which Version?

[Idaho]

the advisory that this affects 6.x versions is wrong

Version 6.0.2900.2180.xpsp_sp2_gdr.050301-1519 here (so yes, XP SP2), and the exploit works just fine. It might depend on your security settings, which I didn't really bother to check in IE because I never use it anyway. Maybe you disabled any kind of scripting or have installed 3rd party popup-blockers or anything else that might change the default behaviour?

Re:Which Version?

This exploit doesn't work if you don't have flash player for IE, which they neglected to mention.

Re:Which Version?

[minus_273]

just tested and the hole exists in IE7 beta 2

It happens in Firefox too

[mshmgi]

It's not just IE. I just tried the Secunia test using FireFox 1.5.0.1 on Mac OS X 10.4.6. It worked. The Secunia test did not work using Safari.

Addendum:

[kid-noodle]

If, like me, you ran a quick check with IE and flicked away to look at something else.. It didn't work.

The window must remain in focus for the spoof to suceed - at least in my version of IE.

It's not just Explorer.

[MaWeiTao]

I just tested Safari, Firefox and Explorer on my Mac. Only Safari came through fine, staying on the Google page. The other two browsers failed. Both Firefox and Explorer 6 on my PC here failed, being listed as susceptible.

Re:It's not just Explorer.

[Kilz]

The test is confusing. The results page at the end with black bars will say http://www.google.com/ in the address bar if it fails the test. You may have an old version of Firefox if it failed, or you may be reading the resulys of the test wrong. I just tested Firefox 1.5.0.1 and it passed.

Re:It's not just Explorer.

[kwieland+in+stl]

I admitt that firefox showed some funny stuff, but it ended showing the secunia site but with the secunia url. What version are you running? I have version 1.5.01. Is the non-mac based firefox show this anomoly?

K

Re:It's not just Explorer.

[biz0r]

No it isn't the non-mac version. I am running FF 1.5 here on linux (slackware 10.2 to be specific) and it passed the test.

Re:It's not just Explorer.

I tested it under Mozilla 1.17.12

The adressbar showed this "http://secunia.com/19521_swf_result/"
So no problems here i think.

-AC

Re:It's not just Explorer.

[wordsofwisedumb]

I just tested Safari, BonEcho, DeerPark, Camino, Firefox, DEVONagent, iCab, Internet Explorer, Netscape, and Opera all on Mac (most recent versions of each, beta builds of some). Safari is the only one that stayed on the Google page. The others all displayed the correct name though.

Re:It's not just Explorer.

The test isn't whether or not it "stays" on the google page. It's whether or not , when forwarded from google.com, that the address bar stays the same. A browser that "stayed" at google.com just has broken flash.

Yes, it does: IE 6.0.2800.1106 on Win2K

[JasonKChapman]

Is this a bug in XP or something?

It works on mine, and it's apparently the same version. IE 6.0.2800.1106 and Win2k. Since it's using Flash, it may be dependent on which Flash player version is installed.

Re:Doesn't work on IE 6.0.2900.2180.xpsp_sp2_gdr..

[twofidyKidd]

That's interesting because I'm running 6.0.2900.2180.xpsp_sp2_gdr.050301-1519CO (don't know what the deal is with the CO on the end there, I just typed out what it says in the about box) and I found that I was vulnerable. Supposedly my XP machine is fully patched as well (Work PC with forced daily patch roll-outs via IT).
br. FWIW, this post is coming from the Firefox browser. I still have to run IE for all the crappy Peoplesoft and SAP applications that depend on it.

Re:Doesn't work on IE 6.0.2900.2180.xpsp_sp2_gdr..

[Xiaotou]

I have exactly the same version, and I failed the test. Now what?

Re:Doesn't work on IE 6.0.2900.2180.xpsp_sp2_gdr..

[Krach42]

I tried it first, and it failed, then I tried it again, and it worked. Turns out if you don't keep focus in the window, the flaw doesn't happen.

Just for your info, I'm using:

IE Version 6.0.2900.2180.xpsp_sp2_gdr.060220-1746

and my Windows XP is fully patched.

So it's probably a related issue, or something else, but your browser is definitely just as vulnerable to the flaw as mine.

Re:Doesn't work on IE 6.0.2900.2180.xpsp_sp2_gdr..

[apt142]

That's odd. It works on my version of IE (6.0.2900.2180.xpsp_sp2_rtm.040803-2158). I'm not too far off on the service packs but, I've been slack lately.

It looks likely there is a fix in a service pack between your version and mine.

patch tuesday

[fusto99]

I wonder if there will be a patch for this released on 4/11. I just got this email from MS a few minutes ago:

"Four Microsoft Security Bulletin affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. Some of these updates will require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. One of the updates will be a cumulative Internet Explorer update that addresses the publicly known "CreateTextRange" vulnerability."

Re:Does work on IE 6.0.2900.2180.xpsp_sp2_gdr..

[aaronl]

Interesting. *I* just tried it on XP using IE 6.0.2900.2180.xpsp_sp2_gdr.050301-1519, and it showed the incorrect URL, as predicted by Secunia.

My XP machine is also fully patched.

News???

WTF? this is waaaaaaaaaaaaaaaayyyyyyyyyyyy too old to be in the news. I read of this vulnerability on MSFT's site like two years ago and they had provided a script that would reveal the actual URL in the address bar. you had to paste that script in the address bar and hit enter. voila the real address is shown. you are still vulnerable but that does not make it a news.

Not me, IE6 fully patched

[RichMeatyTaste]

The address bar says what it should....

Smells like FUD if you are fully patched.

IE6 under WINE

[pscottdv]

My copy of IE6 running under WINE has the flaw.

Re:IE6 under WINE

[LinuxRulz]

I see I am not the only one to have IE under wine just to test those funny vulnerabilities!

Umm...

[atrader42]

When I run IE, the icon in the top left is an arrow pointing left...does that mean I'm ok and Paypal really does need me to confirm my account details several times a day?

Re:Umm...

[stunt_penguin]

Absolutely, shopper. You may continue to enter personal information at will :o)

Re:Umm...

[Hoi+Polloi]

I prefer to enter the personal information of phishers into each other's scam mail, that way they just circulate their stolen funds back and forth.

Re:Doesn't work on IE 6.0.2900.2180.xpsp_sp2_gdr..

[Cruian]

I'm using the same version number and no updates are showing up at Microsoft Update. It shows the Secunia page with the google.com address for me.

What?

[snib]

This doesn't work in Firefox. I hate it when people only design their pages for IE!!

Re:What?

[Seltsam]

This worked on my version of Firefox. I happen to have IE View and IETab Lite installed, but not enabled for that page.

Re:What?

[dynamo52]

This doesn't work in Firefox. I hate it when people only design their pages for IE!!

you need to enable java for the site

Re:What?

[mapkinase]

It sure does, says "your browser is vulnerable". Apparently my Firefox installation got the security flaw from the co-installed bluE.

Re:What?

[the_wesman]

actually - I went to that site in firefox 1.5 and apparantly I am susceptible to the vulnerability - this is apparantly not specific to IE - can someone else verify this?

Looks like I'm secure

[m50d]

I tried to open the test page in Konqueror and it crashed. I wish I was joking :(

Re:Looks like I'm secure

[leonscape]

Didn't crash here, the pop just got blocked. When I allowed popups and tried again, the securina page opened just as another tab again, with its own address. Good old Konq.

Re:Looks like I'm secure

[bcmm]

Didn't crash my Konqueror in KDE 3.5.0.

Re:Looks like I'm secure

Does not crash here...
Konqueror 3.5.2 KDE 3.5.2

Re:Looks like I'm secure

It crashed for me too. I turned the javascript popups to allow to see it, and then turned it off, and clicked again, and it crashed.

Re:Looks like I'm secure

Didn't crash here (3.5.2). Maybe your flash player installation is buggy?

Re:Looks like I'm secure

your sig wins a UUOC award

Re:Looks like I'm secure

[shumacher]

Mozilla/5.0 (compatible; Konqueror/3.3; Linux 2.6.10-1.ydl.1; X11; ppc) (KHTML, like Gecko)

No crash for me.

Re:Looks like I'm secure

[addaon]

unnecessary use of cat?

strings /dev/mem | grep -i llama

Re:Looks like I'm secure

Konqueror definitely has issues depending on the javascript policy for opening new windows.

My results
----------
Allow: crashes
Ask: crashes
Deny: correctly blocks new window
Smart: fails - shows google.com

Re:Looks like I'm secure

[m50d]

Tried again and it worked. Bloody binary-only plugins...

Re:Looks like I'm secure

[bcmm]

Gah, I thought I had a reason for that, but thinking about it, I clearly don't... I must be retarded.

Re:Looks like I'm secure

[bcmm]

Specifically, I was almost sure that strings threw errors if it was run directly on a device...

Re:Looks like I'm secure

[x_codingmonkey_x]

Hmm I just tried it with Konqueror and it actually displayed the google.ca website. I guess that Konqueror is also vulnerable to this attack. I'm using Konqueror 3.5.2. (Good thing I actually use Firefox for my web browsing).

Re:Looks like I'm secure

[m50d]

No, displaying google.ca is fine, it's if it manages to change it to the "you are vulnerable" page while leaving the address bar showing google that there's a problem.

vulnerable on IE

[cornellfOo]

my IE is susceptible to this. version: 6.0.2900.2180.xpsp_sp2_gdrblahblahblah

My web browser is not vulnerable!

Oh sweet holy cow. My web browser is not vulnerable. In the address bar, it says, www.google.ca

Netcraft Toolbar isn't fooled

[bobdehnhardt]

If you've got the Netcraft Toolbar installed in IE, it isn't fooled. In the test, even though the address line reads "www.google.com", the toolbat correctly identified the content as coming from Secunia.

Disclaimer: I am not a Netcraft employee, just a satified customer.

Re:Netcraft Toolbar isn't fooled

[RandomPrecision]

The normal IE/Firefox/Opera toolbar shows that too.

Fundamental Browser Issue

[chill]

The concept is simple. See the button bar (tab bar on Firefox) up top? Now look down -- see the Status bar down below? In between there is the screen real estate that content should be allowed to touch. Under no circumstances should anything outside of that area be touchable by the browser or any task/thread/job spawned by the browser. Period. The URL bar, button bar, toolbar, and statusbar should be inviolate. Javascript (or ANY script) should be unable to display text in the status bar, thus making it impossible to lie about link location.

Extensions, which are installed explicitly thru a separate procedure, would be the only way to put something in the status bar.

Change the little lock symbol to take up more room in the status bar. Make it list the URL the certificate is issued to next to the lock. If that doesn't match the URL you're on, change the URL bar background to ORANGE (not yellow) and make the lock flash or something. Yes, I know, you clicked "accept this certificate" but it is still a hacked-up cert and needs some cursory attention.

* * *

For those twits that are going to whine "but I don't use the status bar" or "I've rearranged my button/menu/tool bar up top so it isn't that way" this is a trivial issue to work around. This was just a quick way to describe the working screen area for most people.

Re:Fundamental Browser Issue

[chill]

Preview, preview, preview.

By "touchable by browser" I meant "touchable by content rendered by the browser".

Re:Fundamental Browser Issue

[Dachannien]

I agree wholeheartedly. Other things that shouldn't be possible: specifying a window as never having scrollbars, specifying a window as non-resizeable, or changing the behavior of a right-click to anything other than causing the context menu to appear.

Re:Fundamental Browser Issue

Except that in this exploit the content doesn't modify the address bar. It takes advantage of a bug in IE to trick the browser itself into forgetting to update the address when the page is redirected.

So, sorry, but even if IE was designed to the principles you suggest, it would still be vulnerable to this. It's the implementation that's buggy, not the design.

Re:Fundamental Browser Issue

[steveo777]

Agreed 100%. So, why is it so hard to keep this from happening? I'd be fine installing flash and shockwave with an external application. I'd be fine having to download anything to my HardDisk, scan it, and then be able to open it (movies, photos, executable).

I would append, under no circumstance may internet content instruct my browser to be a certain size, take away from any functionality of either the mouse or shortcuts... a true sandbox.

Re:Fundamental Browser Issue

[Penguin]

If you want a fundamental error and slow fix, look at the ancient mozilla bug: https://bugzilla.mozilla.org/show_bug.cgi?id=10453 2 (you might need to copy-and-paste the link). It took over four years to get a reasonable result. This is damn scary.

Fortunately it seemed like the window-property wasn't shared.

Re:Fundamental Browser Issue

[jgoemat]

If you want a fundamental error and slow fix, look at the ancient mozilla bug: https://bugzilla.mozilla.org/show_bug.cgi?id=10453 2 (you might need to copy-and-paste the link). It took over four years to get a reasonable result. This is damn scary.

Yes, I'd much rather have a malicious web site appear to be a trusted one than have the wrong scrolling text display in the status bar...

Re:Fundamental Browser Issue

[assassinator42]

I believe you can turn off javascript's ability to change the status bar in Firefox. And, doesn't it already pop up a warning saying the site's URL doesn't match the certificate's URL? I know I've had it warn when I was on blockbuster.com and the certificate was for www.blockbuster.com or something like that.

Re:Fundamental Browser Issue

[chill]

And, doesn't it already pop up a warning saying the site's URL doesn't match the certificate's URL? I know I've had it warn when I was on blockbuster.com and the certificate was for www.blockbuster.com or something like that.

Yes, it will pop up a certificate warning. IE does the same thing. However, it is full of big words that most people susceptible to phishing and scams just click thru. The idea is to make a "permanent" warning that something is not quite right and boil it down to the one pertinent issue: the URL you are at doesn't exactly match the one the cert is for.

People need a simple RED == BAD, ORANGE == WARNING, GREEN == GOOD system for this. KISS.

Works in Win2k here

Works here, Win2k 5.00.2195, IE 6.0.2800.1106. I see Google.com in the address bar but the content is from Secunia.

To Microsoft Programmers:

[MarkVVV]

Dupe!

issue exists in IE only here

[niall111]

firefox was fine, IE was broken. using IE 6, installed on work PC.

Re:Here is somthing to show to Linux and Be skepti

[Andrew+Kismet]

Why does the image of Linux fans as fat, bearded guys with bad hair and beer not suprise me in the slightest? :/
I even know a guy who uses Linux and looks like that.. in person. Linux on a hacked XBox, to be precise...

Does work on IE 6.0.2800.1106 on Win2K

[alphaseven]

I'm running IE 6.0.2800.1106 on Win2K and the flaw worked. I upgraded flash from 8,0,22,0 to 8,0,24,0 and it still worked. Windows update says I'm up to date.

NEVER MIND

[mshmgi]

On second thought ... forget I ever said that. Fiorefox showed the first redirect page, but the address bar correcctly identified the URL. FF never redirected me to the second URL so I missed the "If your address bar still says "google.com" ... " bit.

Re:Doesn't work on IE 6.0.2900.2180.xpsp_sp2_gdr..

[greenegg77]

Hmmm - I'm using the same version as you, fully patched, and I get hit with the flaw. As a side note, using IETab in Firefox leaves you vulnerable as well.

SSL and phishing

[internic]

If people would pay attention to whether the connection is a secure SSL connection, wouldn't that alleviate most of the problem? As I understand it the browser would show "secure" if the site has a valid SSL cert signed by one of the root certification authorities installed in your browser that was registered to the domain of the site you were looking at. I suppose it's possible that a phisher could get a valid SSL cert for their phishing domain, but isn't that pretty unlikely?

Of course, training people to pay attention to whether it's an secure connection before giving important private information is a different issue, but it seems like you might be able to make some progress through education and adding features to the browser to make it a bit more obvious. You could make the secure icon more obvious, and you might even be able to get more clever and guess which pages are bank pages and ask "are you sure" when people try to send info unencrypted to those pages.

Meanwhile, my bank and some of my credit cards have a login prompt on the front page that is not https. Sure, it starts an SSL connection after you hit login, but, at that point, if you've been spoofed it would already be too late.

IE 6 Does have the Vulnerbility

IE6 does have the vulnerability. I tested with IE6 - 6.0.2900.2180_xpsp_sp2_gdr.050301-1519. Firefox did change the url address to secunia, but Explorer displayed www.google.com.

Explorer is bad pieace of coding software imho.

peace.

FireFox& MacoSX

Your browser is vulnerable if the Address Bar displays "http://www.google.com/".

.... with FireFox and MacOSX!

Internet Explorer 7

Tried it in IE7 Beta 2 (7.0.5335.5) and it "works"...

Only in IE

TFG for firefox

Again, who cares?

[Tatsh]

Any flaws from Microsoft software are worth a Slashdot story? Not in my opinion. See, flaws in Microsoft software are an everyday thing for me. Very used to it.

I don't use IE for much, but it's not like everyone's going to hit the site with the exploit. I'm sure more than ~95% won't. Count how many articles about flaws in IE have been posted on this site, and how many of Firefox. I think Firefox may be worth reporting on here, but only because Firefox is still not used as much as people would hope. And because Firefox is still in development, compared to IE.

Once everyone has Firefox, it'll become an everyday thing to hear about Firefox exploits and waste pages for it.

Re:Again, who cares?

Since IE is still a majority use browser in a lot of businesses and even home systems, it is quite useful to actually pay attention to problems that could bite you when you are forced to use one such system without the ability to run or install your own browser on their personal computer. Continue to ignore them and you'll end up being phished as easily as the ignorant masses.

No, I haven't used IE in years, but, I still want to hear little details like this. If nothing else, it's just more ammo for me to hit IE proponents with. Luckily most systems I use are set up by idiots or use a harddrive imaging scheme (all settings and files are back to the original image after a reboot on my school's systems) so I can use my thumbdrive with a copy of my browser on it, but, there are still those few rare systems where you have actual user rights instead of super-user or admin and no Firefox or Opera exists on the system. It's use IE or use nothing. Sometimes nothing isn't an option.

Deepnet, people!

[Syberghost]

If you for some reason HAVE to use Internet Explorer, at the very least you should be using Deepnet Explorer, with the anti-phishing (and anti-everything-else) turned on. If you don't know that by now, please sell your computer before you hurt somebody.

Good Grief

[rAiNsT0rm]

The other day I sent out an email to everyone in our company warning them of a new phishing scheme with a copy of the email attached. Within 10 minutes I had not one, but TWO replies to me with people's account/password info.

So not only did they miss the entire message, they also couldn't even give their information to the right person. I wanted to just cry... I honestly think phishers deserve some peoples information.

I was vulnerable

I don't even use my IE but I tested it and my version of IE was vulnerable.
I'm using version 7.0.5296.0

Not a new proof of concept hack

[Alaskan+Snake]

This was already shown to be a vulnerability back in 01. Funny how it's still around 5 years later...asleep at the wheel in Redmond. http://www.microsoft.com/technet/security/Bulletin /MS01-027.mspx

Off-topic

I never noticed this before, but when I go into Help > About in ie, the first thing I read was: "Based on NCSA Mosaic. NCSA Mosaic(TM); was developed at the National Center for Supercomputing Applications at the University of Illinois at Urbana-Champaign." Weird, I never noticed this credit before.

Here you go

[Dr.+Evil]

Dr. Evil, blah2glorb

Re:Here you go

[rAiNsT0rm]

hehehe, awesome. The sad part is that phishers do all this elaborate bullshit to fake their requests, when I guarantee a plain text email asking nicely for info would net them just as many results.

Re:Why?? -- for IE only apps....

[Kincaidia]

I would suggest This Firefox Plugin. Works like a dream - you can with a right click open any currently open tab in a new tab, rendered with IE instead of FireFox. You can also set specific websites (update.microsoft.com, etc) to automitically open with IE instead of FireFox. Best part for a web developer - they each have seperate caches, so I can have multiple logins to the same sites for testing purposes :)

ie6 is crap, cause its vulnerable too.

[xWastedMindx]

IE 6.0.2800.1106 on Windows 2000 is vulnerable.

Works in IETab as well

[Patman]

Note that this exploit also works if you're using the IE Tab add-on for Firefox. I know that IE Tab basically runs IE in a Firefox window; but, I was surprised that the address bar was corruptible.

Re:Works in IETab as well

I tried it with IE Tab in FireFox and I passed the test. I tried in the nromal internet Exploere and it failed.

Are you running an earlier version? (pre-1.0.8)

ff tabs

[LunaticTippy]

I just installed on a friend's computer last week, and I don't remember setting any tab functionality. If you don't know about tabs, you won't see them. If you hit Ctrl-T you'll still get a new tab, or if you Right-Click you can open in a new tab. You can set it to automatically open links in a new tab, but it's probably best to let the user do that when they're ready.

move along now...

[design+by+michael]

"...a new vulnerability in Internet Explorer..."

Nothing new to see here...move along now.

moderate risk?

[goldfita]

The article said this is a moderate security risk. This is bad. At first they were asking for private information in e-mail. Then they were coping web sites and linking to them. I've already had to train myself to be wary of e-mail. Now I've started looking at URLs. But if they can fake the URL too, how in the world is anyone supposed to know which sites are authentic?

The spam is bad enough, but I'm frequently clicking the 'report phishing' link these days. You only have to make a mistake once.

Re:moderate risk?

[fdiskne1]

But if they can fake the URL too, how in the world is anyone supposed to know which sites are authentic?

Simple. If it comes to you in an email or in any way other than you typing the URL in the address bar, it's fake. Granted, DNS poisoning can still take advantage, but that's not the browser's fault. At least this is the way I treat any email requesting me to log on somewhere. I saw an email one of our users received that looked like a phishing email in that it asked them to click a link to login and view their bank account. They said their bank always sent this type of email. I looked at the source of the email and it was going to the correct URL. It wasn't faked. If you ask me, that bank is just asking to have their customers get ripped off.

Remember January 15th, 2002,

[dpbsmith]

when in an internal memo, Bill Gates said "We must lead the industry to a whole new level of Trustworthiness in computing."

Remind me, again... how many major OS releases and services packs and IE versions have been released since then?

Boot Camp

[AragornSonOfArathorn]

I'm running IE on my new MacBook via Boot Camp. But since Macs don't get viruses, I'm safe, right?

Re:Boot Camp

[rbarreira]

This has nothing to do with viruses, but l0lz0rs to your joke anyway.

Generic Slashdot Comment

[Hoi+Polloi]

Just copy and paste this into your comment!

>>>Linux good, Microsoft bad!

tackle box

[MadJo]

Time to get my tackle box.. gots to get me some good fishing on teh intarweb

Firefox vulnerable?

I just did the test, I am using firefox, and it says my browser is vulnerable. So, it seems IE isn't alone in this?

Re:Firefox vulnerable?

Learn to read my friend.

Yeah, it's a 30 minute process

[thepotoo]

OK, so I spend 30 minutes downloading/installing/configuring.

I've just saved myself AT LEAST 5 or 6 hours of fucking around google trying to find ways to get rid of some piece of spyware.

Come on. Who DOESN'T have time to install Firefox?

Re:Yeah, it's a 30 minute process

[ZachPruckowski]

People don't think that way. Yes, an ounce of prevention is worth a pound of cure, but most people put off fixing things like that. Just like "One of these days I'll paint the kitchen", or the inevitable promise to eventually "clean out the garage", people might eventually plan on "figuring out that darn computer thing better", but as everyone knows, first there's the game on, then they have gardening to do, or walking the dog, or anything other than doing that, always promising to do it next week. Sort of like me and this paper due in an hour...

Huh?

Sorry, you lost me after "If people would pay attention..."

Just tried it with our company's stock IE install

[SCHecklerX]

Seems like it uses a popup, which is blocked by MSIE by default. Makes me feel a little better about not having send yet another alert down the chain.

Mine is vulnerable.

I have IE 6.0.2900.2180.blah.blah.blah running on Win XP SP2. It's vulnerable.

I rarely ever use IE (for sites at work that only work on IE).

lol

[Intangion]

thats awesome
every week or two there is another major exploit or something..

i use firefox at home but at work we HAVE to use IE.. as a result the IT staff keeps busy with OS reloads ;)

at home when i used to use windows i used IE for the longest time cause i did hobbiest webdevelopment and since IE was the most popular i kept IE for testing websites on it

also all of my shortcuts i set on IE before i got firefox, so mostly i used IE (got firefox mainly to test web sites i made)

Re:Because...

[rduke15]

Why are people still using IE

Because their network admin doesn't have the time to figure out how to roll out a working install of Firefox (fully configured, and with all the desired plugins and extensions).

I know. I did install FF on around 20 machines, and it wasn't easy to find a semi-automatic way to install. And it got worse when the 1.5 upgrade came: I eventually did go to all the 20 machines, and did the upgrade manually.

Firefox is great for individual users (and even then, some find the stupid "browse for folder" dialog at install time annoying).

But to install on a network with custom bookmarks, default languages, proxy settings, plugins for Acrobat, Quicktime, Real, Flash, and a few extensions, is no fun.

Re:Why?? -- for IE only apps....

[LunaticTippy]

I've been thinking about using that, it'd sure be nicer than opening IE. I use the seperate cache feature now, but having it in a tab would be handy.

Have you noticed any compatibility issues? I'm assuming it either has all the security holes IE does, or lacks full compatability.

Vulnerable? Maxthon: No; IE: Yes

[microbee]

The title says it all. It's so embarrassing since Maxthon uses IE engine.

Or...

[Z34107]

Or... people don't switch to Firefox because it's overrated and ugly.

I liked Firefox a lot better than I liked IE6 and used it until I got a beta copy of IE7. It's fast, memory efficient, and clean, and dragged me back from Firefox. And, it has tabbed browsing. Woot.

No

[rbarreira]

No, this has nothing to do with that vulnerability (which you would have noticed if you had actually read the link you gave).

Re:No

[Alaskan+Snake]

? I'm fuzzy on how it's different aside from the existence of an SSL session. FTA - The second vulnerability could enable a web page to display the URL from a different web site in the IE address bar. This spoofing could occur within a valid SSL session with the impersonated site. Both vulnerabilities could be used to convince a user that the attacker's web site was actually a different one - one that the user presumably trusts and would provide sensitive information to.

Re:No

[rbarreira]

The old vulnerability has to do with misverification of SSL certificates.

The new one has to do with "a race condition in the loading of web content and Macromedia Flash Format files (".swf") in browser windows".

Just because the effect is the same that doesn't mean the bug is the same, so your original comment is completely uninformed. Anyone with some knowledge of programming will tell you the same.

Re:Why?? -- for IE only apps....

[Nazo-San]

The problem with that is that you are actually using IE, which defeats the purpose of using Firefox. In other words, you're still exposed to most of the bugs, the instability, and you are going from one browser that takes rather a lot of memory to one that assumes you don't need to actually be running any other programs while browsing the web AND takes up rather a lot of memory in addition to that. You might be safe from bugs like that address bar one (I'd verify this if I were you, it may still respond to such a command) but, you won't be immune to the far more numerous internal problems with the browser itself rather than the interface.

My upper left corner is a minus inside a square...

... for ALL my applications, you insensitive clod!

Re:Because...

No kidding. I like a lot of Open Source software, but you nailed it on the head. It's a PAIN in the BUTT to roll most of it out to multiple desktops.

If a client came to me and asked me to roll out 100 PCs I'd love to do the following:

OpenOffice.org - PITA to install in a corp environment unless you go in and mess around with the various MSI files, to set the defaults up. It's a MS world, and the first point of adoption is to get OOo installed and working /w MS files. My opinion only .. but it's a major stumbling block. Heck, I even did an Ask Slashdot where a bunch of the responses were "Just stay with MS Office".

Firefox - There's a neat little VBS script to roll this out and do profiles, but a bit of a PITA in itself..

Sending Faxes .. Hmm .. Hylafax, but what good END USER fax client that can be rolled to multiple machines EASILY with a roaming phone book. Hylafax receive is nice, I just PDF to their email box. Easy there. :)

Groupware. Don't get me started. Someone makes an email server that Outlook will NATIVELY talk to .. w00t .. Until then .. bleh. People don't wanna use anything than Outlook. Why? Because it's stupid simple and easy.

A LOT of cool OSS software is out there. But it's good IMO for single user. Not multiple users.

It doesn't really matter

[porneL]

This flaw doesn't really matter. Attackers don't need to spoof URL because users don't know what's the role of URL, how domains work and why https is important.

Recent phishing study (covered on /.) shows that people think IP is "redirection number", padlock is for blocking cookies and any website that looks polished and says it's genuine and secure, really is.

(IE sucks anyway)

Everytime I go fishing with I.E.....

[DRAGONWEEZEL]

All I get is some Carp and a hnagover

duh duh... (silence)

Here is my screenshot

[giriz]

I have the latest version (i guess) 6.0.2900.2180.xpsp_sp2_gdr.050301-1519 (why is it so long?) and i confirmed the flaw in this version. earlier posts denied this. I dont know how that is possible. Here is a screenshot http://www.cs.sunysb.edu/~gsugabra/ie-spoof.jpg

Re:Does work on IE 6.0.2900.2180.xpsp_sp2_gdr..

[athakur999]

I've got the same build and the test did NOT work for me. I didn't change focus to another window or anything either.

Re:Why?? -- for IE only apps....

[zvar]

IE Tab is great and I use it when stupid vendor sites will only work with IE. Problem is that it is IE. This specific exploit in the article works w/ Firefox 1.5.0.1 w/ WinXP and IE Tab version 1.0.8.
The example link shows google in the address bar in IE mode.

Re:Does work on IE 6.0.2900.2180.xpsp_sp2_gdr..

[aaronl]

I just tried it on another IE 6.0.2900.2180.xpsp_sp2_gdr.050301-1519 machine with Update version SP2, all running on WinXP SP2. I ran tests through a Squid proxy, direct to the Internet, and through a Dans Guardian proxy. They exploit worked on all those configs.

I'm pretty curious what the differences are, so that I can duplicate them!

Damn!

[jc42]

I finally upgraded my Mac Powerbook to Tiger last month, and I no longer have Internet Explorer to test it with.

Maybe I'll try it with Safari or Camino or Opera or Firefox or Seamonkey or iWeb or ...

Firefox's IE Tab is also vulnerable

[UnseenEnigma]

I know several people who use firefox with the IE Tab extension to get the benifits of Firefox's tabbed browsing for an IE rendering engine(and Integrated Auth). This configuration is also vulnerable to this exploit

All I See Is This

Removed window.open(url, 'window')
From http://secunia.com/Internet_Explorer_Address_Bar_S poofing_Vulnerability_Test/
Because Script-based Popup

in the atguard event log.

again

[Bizzeh]

hmmn, i clicked the link with an unpatched IE, nothing happened... i wonder why that would be, ohh, because i know how to use the WWW. i have my popup blocker on high....

That wouldn't help here....

[DrPizza]

You have I presume noticed that the browser gets "www.google.com" stuck in its address bar by virtue of visiting www.google.com?

This isn't due to scripts putting arbitrary text in the address bar. It's caused by a race condition. If in quick succession you visit a shockwave site and then some other URL, the browser does the following:

1) start loading the evil shockwave site (showing its evil URL)
2) start loading the friendly site (showing its friendly URL)
3) finish loading the friendly site
4) display the friendly site
5) finish loading the evil shockwave site
6) display the evil shockwave site

As such, constraining the drawable area doesn't actually help--the exploit isn't writing to the address or status bar or anything like that. It's simply exploiting the behaviour of the shockwave plugin. If the shockwave plugin begins to load a site it's damn well going to finish loading it, even if the user (or a script) has navigated away from that site.

To be honest, it's not clear to me if this is a problem with IE or the plugin in question; does IE exhibit this behaviour for any plugin, or is it just shockwave? I don't know if IE tells its plugins "cancel what you're doing, the user has navigated away", for example, or whether it would have the ability to discard the output of the plugin.

Solution...?

[g00p]

"Solution:Disable Active Scripting support." Until the next time?

Better Solution:Disable IE & use Firefox.

Complete remedy: Don't use an OS that invites malware & phishers like moths to a lamp.

Re:Why?? -- for IE only apps....

[Kincaidia]

Using the IE Tab doesn't spawn an iexplore.exe process. It runs off of explore.exe which is always running. And if you have it set up only for a list of specific pages that require IE, any random phishing site will NOT be on that list, and will render in FireFox. I'm not saying it's perfect, but if someone is going to not be able to use firefox because of a single website, I'd rather see them use IE on that specific site and firefox for the rest.

Windows flag

[Barbarian]

Windows XP (and maybe 2000) uses a Windows flag by default in the corner.

Re:Why?? -- for IE only apps....

[Nazo-San]

The tabs do not use iexplore.exe, but, they use internet explorer via calls and such. In other words, you're still stuck with internet explorer's ups and downs (not quite sure what ups there are.)

As an Opera user who has had to deal with braindead sites for quite a while, I'd say that the issue of being required to use IE is just about gone. There's only one thing left that forces me to use Firefox these days, and that's a very very poorly written school site (WebCT.) How there can be such a big professional product so poorly designed that it can't work correctly in a 100% standards compliant browser is beyond me. (Actually, after I get past a really braindead login that tells me there is an internal server error if it sees that my browser is Opera, the only thing that doesn't work at least partially is the tests, which won't save your answers on the server so nothing happens when you click save and you can never complete the test except by opening another browser.) Using Opera, I have found that the very rare sites it won't work with, Firefox will, so I'd say that the other way around applies. For those people who just kind of almost hold a grudge against Opera, just use Firefox as your primary browser, and on the rare occasions it fails, load up Opera and you're set.

BTW, tabbed browsing was mentioned earlier. Tabbed browsing is practically disabled in Firefox and even once you enable it it doesn't work very well (you have to load up about three extentions to get it working the way tabbed browsing shoult) and while in Opera it is no longer disabled by default due to the fact that the majority of their users like it, it can still be disabled with three to four clicks of the mouse. Tools->Preferences->(General Tab if it's not selected already->)Use Tabbed Browsing. I don't understand why anyone would hold tabbed browsing against browsers that so easily disable it (one of which practically starts out with it disabled.)

IE7 and high assurance ssl certificates

[nuttysquirrel]

I downloaded the beta IE7 and tried it out on some sites with high assurance (manual validation) SSL certs and low assurance (automated validation) SSL certs. I didn't see any difference. I thought it was supposed to highlight high assurance SSL encrypted sites. On a related note, ssl.com just recently started carrying ssl certificates from all the popular brands (ie instantssl, rapidssl, thawte, geotrust, etc). I saw that they are selling rapidssl certificates for $14.95, and they normally go for $69. You have to use the coupon code RSD050606 which expires next month. Anyway, I got one and it works fine so no complaints here.