Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Phishing Flaw in Internet Explorer

Posted by ryuzaki0 on from the another-week-a-new-vulnerability dept.

JimmyM writes "Secunia reports on a new vulnerability in Internet Explorer. From the piece: 'This can be exploited to spoof the address bar in a browser window showing web content from a malicious web site.' According to several (german) media outlets this is already being exploited by phishing sites. Secunia has a test you can try to see if you are vulnerable."

11 of 274 comments (clear)

  1. Bug fixed in IE7b2 by LocalH · · Score: 3, Informative

    I just tested it in IE7b2 and got the correct results, showing the Secunia URL and not Google's.

    --
    FC Closer
    1. Re:Bug fixed in IE7b2 by Krach42 · · Score: 2, Informative

      I just checked in IE6, and I thought that the bug was gone, but it just turns out that if you don't stay in the window, it doesn't work. If the window loses focus, then the test will fail, even inside a vulnerable IE window.

      I retested keeping focus in the window, and confirmed the bug.

      --

      I am unamerican, and proud of it!
    2. Re:Bug fixed in IE7b2 by NeoThermic · · Score: 3, Informative

      You can also fix this in IE6. Go to Tools -> Options, click the security tab, then click on 'Custom Level'

      Scroll down until you find 'Navigate sub-frames across diffrent domains'; set it to prompt or disable.

      The test fails if you set it to disable, and it will ask you if its allowed (to exploit you) if you set it to prompt.

      NeoThermic

      --
      Use my link above, or to view my server, NeoThermic.com
    3. Re:Bug fixed in IE7b2 by walt-sjc · · Score: 2, Informative

      The NoScript FF plugin allows selective use of javascript without messing with "security zones." Quite nice actually. Default deny, and partially allow as needed.

  2. even when this gets fixed.... by joe+155 · · Score: 2, Informative

    ...phishing is still going to be a serious problem... although the bar is important for users it shouldn't be the only source that they look for to see if a site is authentic, it should be based on all the factors which can give some inclination that the site is either legitimate or not and we need to create a culture where people look with caution on websites. See the register article on this topic with an interesting article on how people deal with these website http://www.theregister.co.uk/2006/03/31/phishing_s tudy/... worryingly the amount of time spent on a computer doesn't seem to have any effect on how much at risk people are.

    this should also serve as a reminder that people who get fooled with this aren't just stupid fools who don't know what a computer is.

    --
    *''I can't believe it's not a hyperlink.''
  3. Corporate Policy by Valdrax · · Score: 3, Informative

    I have to use Explorer at work. A defect tracking system and a time tracking system at work both refuse connections from anything that doesn't identify itself as Explorer, and one of them (I can't remember which) doesn't work if you set up Firefox to pretend to be Explorer.

    So, I use Avant -- a wrapper around Explorer that gives multiple tabs and can block ads & pop-ups. It seem invulnerable to this bug, incidentally. Supposedly Netscape 7 can use Explorer for certain websites and the Mozilla rendering engine for others, but I couldn't figure out how to get to work exactly how I wanted, so I punted. I've been pretty happy with Avant since then, but I prefer Firefox for home.

    --
    If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
  4. Re:Doesn't work on IE 6.0.2900.2180.xpsp_sp2_gdr.. by Krach42 · · Score: 2, Informative

    I tried it first, and it failed, then I tried it again, and it worked. Turns out if you don't keep focus in the window, the flaw doesn't happen.

    Just for your info, I'm using:

    IE Version 6.0.2900.2180.xpsp_sp2_gdr.060220-1746

    and my Windows XP is fully patched.

    So it's probably a related issue, or something else, but your browser is definitely just as vulnerable to the flaw as mine.

    --

    I am unamerican, and proud of it!
  5. SSL and phishing by internic · · Score: 2, Informative

    If people would pay attention to whether the connection is a secure SSL connection, wouldn't that alleviate most of the problem? As I understand it the browser would show "secure" if the site has a valid SSL cert signed by one of the root certification authorities installed in your browser that was registered to the domain of the site you were looking at. I suppose it's possible that a phisher could get a valid SSL cert for their phishing domain, but isn't that pretty unlikely?

    Of course, training people to pay attention to whether it's an secure connection before giving important private information is a different issue, but it seems like you might be able to make some progress through education and adding features to the browser to make it a bit more obvious. You could make the secure icon more obvious, and you might even be able to get more clever and guess which pages are bank pages and ask "are you sure" when people try to send info unencrypted to those pages.

    Meanwhile, my bank and some of my credit cards have a login prompt on the front page that is not https. Sure, it starts an SSL connection after you hit login, but, at that point, if you've been spoofed it would already be too late.

    --
    "You call it a new way of thinking; I call it regression to ignorance!" -- Operation Ivy
  6. Re:Looks like I'm secure by Anonymous Coward · · Score: 2, Informative

    It crashed for me too. I turned the javascript popups to allow to see it, and then turned it off, and clicked again, and it crashed.

  7. Re:Why?? -- for IE only apps.... by Kincaidia · · Score: 2, Informative

    I would suggest This Firefox Plugin. Works like a dream - you can with a right click open any currently open tab in a new tab, rendered with IE instead of FireFox. You can also set specific websites (update.microsoft.com, etc) to automitically open with IE instead of FireFox. Best part for a web developer - they each have seperate caches, so I can have multiple logins to the same sites for testing purposes :)

  8. Works in IETab as well by Patman · · Score: 2, Informative

    Note that this exploit also works if you're using the IE Tab add-on for Firefox. I know that IE Tab basically runs IE in a Firefox window; but, I was surprised that the address bar was corruptible.