New Phishing Flaw in Internet Explorer

JimmyM writes "Secunia reports on a new vulnerability in Internet Explorer. From the piece: 'This can be exploited to spoof the address bar in a browser window showing web content from a malicious web site.' According to several (german) media outlets this is already being exploited by phishing sites. Secunia has a test you can try to see if you are vulnerable."

The following versions are affected:

[Quince+alPillan]

According to the advisory linked in the article:

The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP1/SP2. The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (March edition). Other versions may also be affected.

But I'm running IE6 on XP SP2 fully patched and I'm not vulnerable to their test. Since this involves macromedia flash, I'm assuming this is mixed with a bug in flash or else something else besides IE alone is causing this bug.

Which Version?

[kid-noodle]

Judging from my own quick go on the test as well as the /. comments, the advisory that this affects 6.x versions is wrong. It would be more useful if there was information on which 6.x versions it affects - is this an issue intoduced in a recent patch, or is it pre-whatever versions only? (And an undetermined number of IE7 versions)

Is this related to the flash player version?

More data needed!

Re:Corporate Policy

Maxthon, another IE shell, doesn't seem that vulnerable. With default settings, only the google page opened.
With AdHunter Disabled (namely the auto popup blocker bit) , 3 tabs opened: google, and moments later the two secunia pages.
Only after unticking 'Ignore window ID assignment' in Options did all 3 load in the same tab.

Re:Does this work with SSL sites too?

[Amouth]

i just modified the code and tested it it will work with https.. It shows

https://www.google.com/ in the address bar BUT does not use ssl you do not get the lock in IE.. and also if you try and use it with a domain other than the one the link is on it causes a full redirect and you get the right adress in the bar same happens if you try it on a site that is using ssl

moderate risk?

[goldfita]

The article said this is a moderate security risk. This is bad. At first they were asking for private information in e-mail. Then they were coping web sites and linking to them. I've already had to train myself to be wary of e-mail. Now I've started looking at URLs. But if they can fake the URL too, how in the world is anyone supposed to know which sites are authentic?

The spam is bad enough, but I'm frequently clicking the 'report phishing' link these days. You only have to make a mistake once.

Re:moderate risk?

[fdiskne1]

But if they can fake the URL too, how in the world is anyone supposed to know which sites are authentic?

Simple. If it comes to you in an email or in any way other than you typing the URL in the address bar, it's fake. Granted, DNS poisoning can still take advantage, but that's not the browser's fault. At least this is the way I treat any email requesting me to log on somewhere. I saw an email one of our users received that looked like a phishing email in that it asked them to click a link to login and view their bank account. They said their bank always sent this type of email. I looked at the source of the email and it was going to the correct URL. It wasn't faked. If you ask me, that bank is just asking to have their customers get ripped off.

Re:Why??

[walt-sjc]

My father-in-law is another just like that. Imagine a guy that worked for 20 years at Digital (sales) and loses his 3-pane view in OE. Needs help getting it back. Said his speakers didn't work, found they were plugged into the mic jack. The guy is 70, so it's somewhat understandable, but it's amazing how many 30 year olds are like that too.

My help-desk employees never fail to inform me of the latest escapades from the "famous five" users that just can't seem to grasp the basics and cause 70% of all the helpdesk calls. Unfortunately, it's viable from a business perspective to damn near dedicate a low-level help desk person to help these people rather than just fire them for incompetance (not having the skills needed to do the job.) These people are NOT trainable. They never learn from mistakes.

The common computer user is lucky enough to have the basic skills to surf the net at all, and send email. Installing firefox is WAY over the top, no matter how easy. It's also "unintersting". They have better things to do, and IE DOES work - well enough anyway.

Re:Why??

[Nazo-San]

My father is similar. He has built systems for each of us in the past until I knew enough to build my own. He got a computer engineer degree way back when and started out at least playing around with home systems like those little atari PC-type things that used basic. Later on DOS and such with tools such as Lotus for obvious reasons.

Despite having spent more than a decade and a half on systems, even starting out before mice were even conceived of, he is not a completely mouse oriented person who doesn't know even simple keyboard shortcuts like CTRL+S. He works extensively with MS products like .NET, was the first to switch to NT among us (I had hardware issues for the longest time even with Win2K and liked 98SE better since it was more suitable to gaming/etc) and he hasn't even so much as dabbled in some live linux distro where you almost can't screw up (at least, so long as you don't do some moron stunt like dd if=/dev/zero of=/dev/hda or something... But, lol, you deserve what you get then.) This is a computer engineer user who had to start out knowing how to design curcuits and even build his own PC and having to write stuff like machine code. He WILL NOT consider alternatives to IE, Outlook, and other such tools. To my knowledge he has never even attempted another. I constantly tell him how great Opera is (and now that it's 100% free with no ads there's not any excuse not to at least try it anymore) and that Firefox with it's extentions is pretty neat as well, but, he won't even try them.

If we can't convert people like him, how in the heck are we going to convert people like Mr Average Joe Farmer who doesn't have the vaguest idea how to actually install another browser? They don't want to be bothered with having to do such things.

I have managed to convert my grandmother to Opera though. I had my aunt, but, a while back there was trouble with a really important site and she ended up using IE. I can't seem to get her back now that Opera is compatible with even most of IE's proprietary crap and can fool braindead servers into thinking it is IE so they won't refuse to work anymore. I think I've managed to almost force my mother to switch to Firefox because there were problems with IE (surprise surprise.) I'm working as hard as I can, but, when I step into the computer labs at my school, I see some of the people there using IE, I still can't convert my dad, and, among those people who know even less about things like web browsers I haven't managed to reach anyone but my grandmother.

Someone needs to run an ad campaign for Opera or something. Actually, come to think of it, my first thought was that the opensource Mozilla wouldn't have enough money for marketing, but, then again, considering how much they just donated to a good cause I wonder about that. Right now they rely a bit more than I like on word of mouth (well, ok, Opera is well known in the mobile segment, so many mobile users who enjoy having a browser that runs about as smoothly as you're going to get on a mobile device would be aware of the PC browser perhaps.) Then again, I guess the question is, can you get Average Joe to understand and care that IE is secretly installing backdoors on their system and sending all of their credit card info to some thirteen year old in New Jersey with too much free time? So far they just don't understand and keep on using it.

Re:Why??

[narkalepse]

Another reason: non-admin users in a large corporation whos request for alternatives are denied. I am one of those.
At home I use firefox and opera under Ubuntu.
At work I am forced to use IE under WinXP.
On the plus side, if the work PC gets slammed I am less likely to care. It would benefeit the IT department most if this company used a more secure browser than IE. It is hard to change culture, impossible to change corporate culture.