Slashdot Mirror
New Phishing Flaw in Internet Explorer
JimmyM writes "Secunia reports on a new vulnerability in Internet Explorer. From the piece: 'This can be exploited to spoof the address bar in a browser window showing web content from a malicious web site.' According to several (german) media outlets this is already being exploited by phishing sites. Secunia has a test you can try to see if you are vulnerable."
I just tested it in IE7b2 and got the correct results, showing the Secunia URL and not Google's.
FC Closer
Username - Communal Account Password - kFhthALQ I hope this helps.
A public account: log in as "Communal Account", password is "kFhthALQ".
...phishing is still going to be a serious problem... although the bar is important for users it shouldn't be the only source that they look for to see if a site is authentic, it should be based on all the factors which can give some inclination that the site is either legitimate or not and we need to create a culture where people look with caution on websites. See the register article on this topic with an interesting article on how people deal with these website http://www.theregister.co.uk/2006/03/31/phishing_s tudy/... worryingly the amount of time spent on a computer doesn't seem to have any effect on how much at risk people are.
this should also serve as a reminder that people who get fooled with this aren't just stupid fools who don't know what a computer is.
*''I can't believe it's not a hyperlink.''
I have to use Explorer at work. A defect tracking system and a time tracking system at work both refuse connections from anything that doesn't identify itself as Explorer, and one of them (I can't remember which) doesn't work if you set up Firefox to pretend to be Explorer.
So, I use Avant -- a wrapper around Explorer that gives multiple tabs and can block ads & pop-ups. It seem invulnerable to this bug, incidentally. Supposedly Netscape 7 can use Explorer for certain websites and the Mozilla rendering engine for others, but I couldn't figure out how to get to work exactly how I wanted, so I punted. I've been pretty happy with Avant since then, but I prefer Firefox for home.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
I tried it first, and it failed, then I tried it again, and it worked. Turns out if you don't keep focus in the window, the flaw doesn't happen.
Just for your info, I'm using:
IE Version 6.0.2900.2180.xpsp_sp2_gdr.060220-1746
and my Windows XP is fully patched.
So it's probably a related issue, or something else, but your browser is definitely just as vulnerable to the flaw as mine.
I am unamerican, and proud of it!
If people would pay attention to whether the connection is a secure SSL connection, wouldn't that alleviate most of the problem? As I understand it the browser would show "secure" if the site has a valid SSL cert signed by one of the root certification authorities installed in your browser that was registered to the domain of the site you were looking at. I suppose it's possible that a phisher could get a valid SSL cert for their phishing domain, but isn't that pretty unlikely?
Of course, training people to pay attention to whether it's an secure connection before giving important private information is a different issue, but it seems like you might be able to make some progress through education and adding features to the browser to make it a bit more obvious. You could make the secure icon more obvious, and you might even be able to get more clever and guess which pages are bank pages and ask "are you sure" when people try to send info unencrypted to those pages.
Meanwhile, my bank and some of my credit cards have a login prompt on the front page that is not https. Sure, it starts an SSL connection after you hit login, but, at that point, if you've been spoofed it would already be too late.
"You call it a new way of thinking; I call it regression to ignorance!" -- Operation Ivy
It crashed for me too. I turned the javascript popups to allow to see it, and then turned it off, and clicked again, and it crashed.
Except that in this exploit the content doesn't modify the address bar. It takes advantage of a bug in IE to trick the browser itself into forgetting to update the address when the page is redirected.
So, sorry, but even if IE was designed to the principles you suggest, it would still be vulnerable to this. It's the implementation that's buggy, not the design.
I would suggest This Firefox Plugin. Works like a dream - you can with a right click open any currently open tab in a new tab, rendered with IE instead of FireFox. You can also set specific websites (update.microsoft.com, etc) to automitically open with IE instead of FireFox. Best part for a web developer - they each have seperate caches, so I can have multiple logins to the same sites for testing purposes :)
Note that this exploit also works if you're using the IE Tab add-on for Firefox. I know that IE Tab basically runs IE in a Firefox window; but, I was surprised that the address bar was corruptible.
> Why are people still using IE, even
> the most uneducated users must have
> heard of alternative browsers by now.
I have very little difficulty with most of these "bugs" that get reported. They don't happen to me. The OSS devotees with whom I am acquainted are frequently claiming I lead some kind of charmed life.
The fact is, most people do not practice secure browsing habits, which is a problem in ANY browser. There is nothing on the planet that can protect you from clicking a link to sucker.we-steal-your-money.com if you're stupid enough to do it. IE gives me more than enough ability to determine where this link really leads, and since I check the link before clicking it, I don't click those links. The idea that OSS advocates consider this some sort of abnormal magical protection is truly frightening.
So why do I use IE? Because security is a process, not a product. I use IE safely. Other browsers often try to "protect" me by concealing the information I could use to make my own decision, making the decision for me instead. Some products actively prevent me from making my own decision, deliberately overriding my requests because they simply can't believe I might actually *want* to do what I said. This isn't security, it's infantilism. You can keep it. I'll use something that does what I tell it, even when it thinks I'm crazy. Like IE.
Once upon a time, we used to say "UNIX doesn't stop you from doing stupid things, because that would stop you from doing clever things". We criticised Windows for preventing the user from doing clever things. Microsoft listened, and changed their stance significantly. So now we're criticising Windows for letting you do stupid things. How ironic.
Microsoft cheerleader, blue flag waving, you got a problem with that?