New Phishing Flaw in Internet Explorer

JimmyM writes "Secunia reports on a new vulnerability in Internet Explorer. From the piece: 'This can be exploited to spoof the address bar in a browser window showing web content from a malicious web site.' According to several (german) media outlets this is already being exploited by phishing sites. Secunia has a test you can try to see if you are vulnerable."

Why??

[liliafan]

I know IE is supposed to still be the most popular web browser there is, but my site shows firefox is in much higher use (roughly 96%). But I guess that since over 97% of hits to my site have been from slashdot that isn't so unusual, I was suprised to see that 98% of visitors used windows.

Why are people still using IE, even the most uneducated users must have heard of alternative browsers by now. I am not specifically advocating any particular browser, I use firefox, but I have heard great reports about opera. Geez these days I would use lynx over IE (and quite often do). We hear about new vulnerabilities in IE all the time IE users get a clue.

Re:Why??

[LunaticTippy]

I'll tell you why.

It's the default browser.

I make it a point to install firefox and remove all shortcuts to IE on any machine I have to fix, except for at work, where we have a couple of IE-only apps. (don't ask)

The average (I don't want to say idiot) user simply doesn't think or know about other browsers. We need to remember that the typical user doesn't live in "our" world.

Re:Why??

[ZachPruckowski]

People keep IE because of two factors:

1) A lot of users only know how IE does things. It could be scary to have to deal with a different layout, or a different set of commands, or a different method of bookmarking or whatever.

2) They don't want to take the time. It takes like 10 minutes to download Firefox, then time to install, and then they have to set it as the default browser, and change shortcuts, and then get all their bookmarks and passwords and everything into Firefox, so it is honestly not a 3 minute process, more like 30 minutes, and more if you take into account getting the right extensions, like ad-block and flashblock and noscript

Fundamentally, the problem is that most users don't see computers as something to configure, they see it as a tool to use. They don't bother with the "Top 10 list for making Windows faster" because it requires registry edits or going deep into the preferences or something. They're not dumb, it's just that computers aren't their field, and they don't like the idea of spending an hour changing something.

Re:Why??

[ThinkFr33ly]

You're missing the biggest factor.

Most people just don't care what browsering they're using. They just want to check their e-mail and go to myspace. It's as simple as that.

Many of the don't even know what a "browser" is. They call it "The Internet".

That's why people don't switch to Firefox.

Re:Why??

[LunaticTippy]

I try to think of my mother as a typical user. She can just barely get around on a computer. I (and many of her friends and relatives) try to educate as best as we can, but it is slow. She still sends out chain letters, including the shergold one. She needed me to help her install flash to see a stupid website. I told her she could print out documents at kinko's and she showed up there with her files at home.

Things have improved over the years. There are many competent users now. But we can't get complacent. People bring their computers to work for me to fix. It's the same thing every time. These are typical users.

Re:Why??

[Cruian]

Some people are used to Internet Explorer and its behavior. They can't get used to Firefox or similar browsers. I have tried to teach a few people to use Firefox, but they need the same lesson every time they sit down in front of it. Most of the alternate browsers have tabs, which seems to be the main cause for confusion that I have seen. Are there any alternate browsers that by default don't use tabs? I know you can get similar behavior with Firefox and probably others, but it is annoying to change preferences for just 10 minutes. We could try to give more in depth lessons on alternate browsers, and their benefits. Also, an index card with any differences from IE may prevent repeated lessons.

Re:Why??

[walt-sjc]

My father-in-law is another just like that. Imagine a guy that worked for 20 years at Digital (sales) and loses his 3-pane view in OE. Needs help getting it back. Said his speakers didn't work, found they were plugged into the mic jack. The guy is 70, so it's somewhat understandable, but it's amazing how many 30 year olds are like that too.

My help-desk employees never fail to inform me of the latest escapades from the "famous five" users that just can't seem to grasp the basics and cause 70% of all the helpdesk calls. Unfortunately, it's viable from a business perspective to damn near dedicate a low-level help desk person to help these people rather than just fire them for incompetance (not having the skills needed to do the job.) These people are NOT trainable. They never learn from mistakes.

The common computer user is lucky enough to have the basic skills to surf the net at all, and send email. Installing firefox is WAY over the top, no matter how easy. It's also "unintersting". They have better things to do, and IE DOES work - well enough anyway.

Re:Why??

[Nazo-San]

My father is similar. He has built systems for each of us in the past until I knew enough to build my own. He got a computer engineer degree way back when and started out at least playing around with home systems like those little atari PC-type things that used basic. Later on DOS and such with tools such as Lotus for obvious reasons.

Despite having spent more than a decade and a half on systems, even starting out before mice were even conceived of, he is not a completely mouse oriented person who doesn't know even simple keyboard shortcuts like CTRL+S. He works extensively with MS products like .NET, was the first to switch to NT among us (I had hardware issues for the longest time even with Win2K and liked 98SE better since it was more suitable to gaming/etc) and he hasn't even so much as dabbled in some live linux distro where you almost can't screw up (at least, so long as you don't do some moron stunt like dd if=/dev/zero of=/dev/hda or something... But, lol, you deserve what you get then.) This is a computer engineer user who had to start out knowing how to design curcuits and even build his own PC and having to write stuff like machine code. He WILL NOT consider alternatives to IE, Outlook, and other such tools. To my knowledge he has never even attempted another. I constantly tell him how great Opera is (and now that it's 100% free with no ads there's not any excuse not to at least try it anymore) and that Firefox with it's extentions is pretty neat as well, but, he won't even try them.

If we can't convert people like him, how in the heck are we going to convert people like Mr Average Joe Farmer who doesn't have the vaguest idea how to actually install another browser? They don't want to be bothered with having to do such things.

I have managed to convert my grandmother to Opera though. I had my aunt, but, a while back there was trouble with a really important site and she ended up using IE. I can't seem to get her back now that Opera is compatible with even most of IE's proprietary crap and can fool braindead servers into thinking it is IE so they won't refuse to work anymore. I think I've managed to almost force my mother to switch to Firefox because there were problems with IE (surprise surprise.) I'm working as hard as I can, but, when I step into the computer labs at my school, I see some of the people there using IE, I still can't convert my dad, and, among those people who know even less about things like web browsers I haven't managed to reach anyone but my grandmother.

Someone needs to run an ad campaign for Opera or something. Actually, come to think of it, my first thought was that the opensource Mozilla wouldn't have enough money for marketing, but, then again, considering how much they just donated to a good cause I wonder about that. Right now they rely a bit more than I like on word of mouth (well, ok, Opera is well known in the mobile segment, so many mobile users who enjoy having a browser that runs about as smoothly as you're going to get on a mobile device would be aware of the PC browser perhaps.) Then again, I guess the question is, can you get Average Joe to understand and care that IE is secretly installing backdoors on their system and sending all of their credit card info to some thirteen year old in New Jersey with too much free time? So far they just don't understand and keep on using it.

Re:Why??

[Xerp]

I often download the internet and put it onto someones hard disk for them.

I still have people calling their computer the "hard disk". People who know nothing are still trying to sound vaguely competant by saying "my hard disk is broken". Of course, saying this to someone with 1 point more tech-savvy than then just ends up confusing the poor person... as they actually believe the person.

So. Whats the easiest way to get these technophobes to switch to firefox? Lets see... make it as a flashy banner ad, spyware-style and they'll install it no time!! ^^

Re:Why??

[narkalepse]

Another reason: non-admin users in a large corporation whos request for alternatives are denied. I am one of those.
At home I use firefox and opera under Ubuntu.
At work I am forced to use IE under WinXP.
On the plus side, if the work PC gets slammed I am less likely to care. It would benefeit the IT department most if this company used a more secure browser than IE. It is hard to change culture, impossible to change corporate culture.

Re:Why??

[sl4shd0rk]

Most people just don't care what browsering they're using.

Actually, what I've found is that taking the time to explain to people what spyware is, how the popups get there, why they have 1300 infections, and that there is something they *can* do to minimize their risk, they are all for the idea.

The do not tend to respond well to: "Ditch that windows IE bullshit retard. go get firefox. what's your fucking problem?".

Test I can try?

[stunt_penguin]

1. Look up in top left hand corner of browser.
2. If icon is a blue 'e' then you're vulnerable.

That is all.

/ms troll

Re:Test I can try?

[jammindice]

Not even the beta IE 7 i have is working right, thank god firefox tested good, otherwise i might have to switch to lynx!!!

Bug fixed in IE7b2

[LocalH]

I just tested it in IE7b2 and got the correct results, showing the Secunia URL and not Google's.

Re:Bug fixed in IE7b2

[Krach42]

I just checked in IE6, and I thought that the bug was gone, but it just turns out that if you don't stay in the window, it doesn't work. If the window loses focus, then the test will fail, even inside a vulnerable IE window.

I retested keeping focus in the window, and confirmed the bug.

Re:Bug fixed in IE7b2

[LocalH]

I stand corrected - I just did the same as you and found the vulnerability is present.

Re:Bug fixed in IE7b2

[NeoThermic]

You can also fix this in IE6. Go to Tools -> Options, click the security tab, then click on 'Custom Level'

Scroll down until you find 'Navigate sub-frames across diffrent domains'; set it to prompt or disable.

The test fails if you set it to disable, and it will ask you if its allowed (to exploit you) if you set it to prompt.

NeoThermic

Re:Bug fixed in IE7b2

[walt-sjc]

The NoScript FF plugin allows selective use of javascript without messing with "security zones." Quite nice actually. Default deny, and partially allow as needed.

Confirmed vulnerable

[paulproteus]

I tested this attack in Internet Explorer 6 on Ubuntu 5.10 running the current Wine deb from winehq.

Your Slashdot Login Information

[eno2001]

Warning. Your Slashdot login information may have been compromised by a sly fox. To ensure greater security please reply to this comment with your current UID and password and the new password you want. I'll be sure to forward it off to CmdrTaco as soon as I see a response.

Thanks,
Internet Security Sheriff

even when this gets fixed....

[joe+155]

...phishing is still going to be a serious problem... although the bar is important for users it shouldn't be the only source that they look for to see if a site is authentic, it should be based on all the factors which can give some inclination that the site is either legitimate or not and we need to create a culture where people look with caution on websites. See the register article on this topic with an interesting article on how people deal with these website http://www.theregister.co.uk/2006/03/31/phishing_s tudy/... worryingly the amount of time spent on a computer doesn't seem to have any effect on how much at risk people are.

this should also serve as a reminder that people who get fooled with this aren't just stupid fools who don't know what a computer is.

Corporate Policy

[Valdrax]

I have to use Explorer at work. A defect tracking system and a time tracking system at work both refuse connections from anything that doesn't identify itself as Explorer, and one of them (I can't remember which) doesn't work if you set up Firefox to pretend to be Explorer.

So, I use Avant -- a wrapper around Explorer that gives multiple tabs and can block ads & pop-ups. It seem invulnerable to this bug, incidentally. Supposedly Netscape 7 can use Explorer for certain websites and the Mozilla rendering engine for others, but I couldn't figure out how to get to work exactly how I wanted, so I punted. I've been pretty happy with Avant since then, but I prefer Firefox for home.

The following versions are affected:

[Quince+alPillan]

According to the advisory linked in the article:

The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP1/SP2. The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (March edition). Other versions may also be affected.

But I'm running IE6 on XP SP2 fully patched and I'm not vulnerable to their test. Since this involves macromedia flash, I'm assuming this is mixed with a bug in flash or else something else besides IE alone is causing this bug.

Re:The following versions are affected:

[Mostly+a+lurker]

As I understand it, there is a timing component to the flaw and I could imagine you not being vulnerable if the SWF file is too small or you have an extremely fast Internet connection.

Ga!

[MightyMartian]

New Phishing Flaw in Internet Explorer

I'm shocked, I tell you, I'm shocked!

Re:Ga!

[madnuke]

It dosnt work in Firefox :P so much for browser compatiabilty.

Which Version?

[kid-noodle]

Judging from my own quick go on the test as well as the /. comments, the advisory that this affects 6.x versions is wrong. It would be more useful if there was information on which 6.x versions it affects - is this an issue intoduced in a recent patch, or is it pre-whatever versions only? (And an undetermined number of IE7 versions)

Is this related to the flash player version?

More data needed!

Re:Doesn't work on IE 6.0.2900.2180.xpsp_sp2_gdr..

[Krach42]

I tried it first, and it failed, then I tried it again, and it worked. Turns out if you don't keep focus in the window, the flaw doesn't happen.

Just for your info, I'm using:

IE Version 6.0.2900.2180.xpsp_sp2_gdr.060220-1746

and my Windows XP is fully patched.

So it's probably a related issue, or something else, but your browser is definitely just as vulnerable to the flaw as mine.

Umm...

[atrader42]

When I run IE, the icon in the top left is an arrow pointing left...does that mean I'm ok and Paypal really does need me to confirm my account details several times a day?

What?

[snib]

This doesn't work in Firefox. I hate it when people only design their pages for IE!!

Looks like I'm secure

[m50d]

I tried to open the test page in Konqueror and it crashed. I wish I was joking :(

Re:Looks like I'm secure

It crashed for me too. I turned the javascript popups to allow to see it, and then turned it off, and clicked again, and it crashed.

Fundamental Browser Issue

[chill]

The concept is simple. See the button bar (tab bar on Firefox) up top? Now look down -- see the Status bar down below? In between there is the screen real estate that content should be allowed to touch. Under no circumstances should anything outside of that area be touchable by the browser or any task/thread/job spawned by the browser. Period. The URL bar, button bar, toolbar, and statusbar should be inviolate. Javascript (or ANY script) should be unable to display text in the status bar, thus making it impossible to lie about link location.

Extensions, which are installed explicitly thru a separate procedure, would be the only way to put something in the status bar.

Change the little lock symbol to take up more room in the status bar. Make it list the URL the certificate is issued to next to the lock. If that doesn't match the URL you're on, change the URL bar background to ORANGE (not yellow) and make the lock flash or something. Yes, I know, you clicked "accept this certificate" but it is still a hacked-up cert and needs some cursory attention.

* * *

For those twits that are going to whine "but I don't use the status bar" or "I've rearranged my button/menu/tool bar up top so it isn't that way" this is a trivial issue to work around. This was just a quick way to describe the working screen area for most people.

SSL and phishing

[internic]

If people would pay attention to whether the connection is a secure SSL connection, wouldn't that alleviate most of the problem? As I understand it the browser would show "secure" if the site has a valid SSL cert signed by one of the root certification authorities installed in your browser that was registered to the domain of the site you were looking at. I suppose it's possible that a phisher could get a valid SSL cert for their phishing domain, but isn't that pretty unlikely?

Of course, training people to pay attention to whether it's an secure connection before giving important private information is a different issue, but it seems like you might be able to make some progress through education and adding features to the browser to make it a bit more obvious. You could make the secure icon more obvious, and you might even be able to get more clever and guess which pages are bank pages and ask "are you sure" when people try to send info unencrypted to those pages.

Meanwhile, my bank and some of my credit cards have a login prompt on the front page that is not https. Sure, it starts an SSL connection after you hit login, but, at that point, if you've been spoofed it would already be too late.

Re:Does this work with SSL sites too?

[Amouth]

i just modified the code and tested it it will work with https.. It shows

https://www.google.com/ in the address bar BUT does not use ssl you do not get the lock in IE.. and also if you try and use it with a domain other than the one the link is on it causes a full redirect and you get the right adress in the bar same happens if you try it on a site that is using ssl

Good Grief

[rAiNsT0rm]

The other day I sent out an email to everyone in our company warning them of a new phishing scheme with a copy of the email attached. Within 10 minutes I had not one, but TWO replies to me with people's account/password info.

So not only did they miss the entire message, they also couldn't even give their information to the right person. I wanted to just cry... I honestly think phishers deserve some peoples information.

Here you go

[Dr.+Evil]

Dr. Evil, blah2glorb

Re:Here you go

[rAiNsT0rm]

hehehe, awesome. The sad part is that phishers do all this elaborate bullshit to fake their requests, when I guarantee a plain text email asking nicely for info would net them just as many results.

Re:Why?? -- for IE only apps....

[Kincaidia]

I would suggest This Firefox Plugin. Works like a dream - you can with a right click open any currently open tab in a new tab, rendered with IE instead of FireFox. You can also set specific websites (update.microsoft.com, etc) to automitically open with IE instead of FireFox. Best part for a web developer - they each have seperate caches, so I can have multiple logins to the same sites for testing purposes :)

Works in IETab as well

[Patman]

Note that this exploit also works if you're using the IE Tab add-on for Firefox. I know that IE Tab basically runs IE in a Firefox window; but, I was surprised that the address bar was corruptible.

moderate risk?

[goldfita]

The article said this is a moderate security risk. This is bad. At first they were asking for private information in e-mail. Then they were coping web sites and linking to them. I've already had to train myself to be wary of e-mail. Now I've started looking at URLs. But if they can fake the URL too, how in the world is anyone supposed to know which sites are authentic?

The spam is bad enough, but I'm frequently clicking the 'report phishing' link these days. You only have to make a mistake once.

Re:moderate risk?

[fdiskne1]

But if they can fake the URL too, how in the world is anyone supposed to know which sites are authentic?

Simple. If it comes to you in an email or in any way other than you typing the URL in the address bar, it's fake. Granted, DNS poisoning can still take advantage, but that's not the browser's fault. At least this is the way I treat any email requesting me to log on somewhere. I saw an email one of our users received that looked like a phishing email in that it asked them to click a link to login and view their bank account. They said their bank always sent this type of email. I looked at the source of the email and it was going to the correct URL. It wasn't faked. If you ask me, that bank is just asking to have their customers get ripped off.

Remember January 15th, 2002,

[dpbsmith]

when in an internal memo, Bill Gates said "We must lead the industry to a whole new level of Trustworthiness in computing."

Remind me, again... how many major OS releases and services packs and IE versions have been released since then?

Boot Camp

[AragornSonOfArathorn]

I'm running IE on my new MacBook via Boot Camp. But since Macs don't get viruses, I'm safe, right?

Re:Yeah, it's a 30 minute process

[ZachPruckowski]

People don't think that way. Yes, an ounce of prevention is worth a pound of cure, but most people put off fixing things like that. Just like "One of these days I'll paint the kitchen", or the inevitable promise to eventually "clean out the garage", people might eventually plan on "figuring out that darn computer thing better", but as everyone knows, first there's the game on, then they have gardening to do, or walking the dog, or anything other than doing that, always promising to do it next week. Sort of like me and this paper due in an hour...