Slashdot Mirror
New Phishing Flaw in Internet Explorer
JimmyM writes "Secunia reports on a new vulnerability in Internet Explorer. From the piece: 'This can be exploited to spoof the address bar in a browser window showing web content from a malicious web site.' According to several (german) media outlets this is already being exploited by phishing sites. Secunia has a test you can try to see if you are vulnerable."
1. Look up in top left hand corner of browser.
/ms troll
2. If icon is a blue 'e' then you're vulnerable.
That is all.
When the posters fear their moderators, there is tyranny; when the moderators fears the posters, there is liberty.
I just tested it in IE7b2 and got the correct results, showing the Secunia URL and not Google's.
FC Closer
It's the default browser.
I make it a point to install firefox and remove all shortcuts to IE on any machine I have to fix, except for at work, where we have a couple of IE-only apps. (don't ask)
The average (I don't want to say idiot) user simply doesn't think or know about other browsers. We need to remember that the typical user doesn't live in "our" world.
Man, you really need that seminar!
Warning. Your Slashdot login information may have been compromised by a sly fox. To ensure greater security please reply to this comment with your current UID and password and the new password you want. I'll be sure to forward it off to CmdrTaco as soon as I see a response.
Thanks,
Internet Security Sheriff
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
People keep IE because of two factors:
1) A lot of users only know how IE does things. It could be scary to have to deal with a different layout, or a different set of commands, or a different method of bookmarking or whatever.
2) They don't want to take the time. It takes like 10 minutes to download Firefox, then time to install, and then they have to set it as the default browser, and change shortcuts, and then get all their bookmarks and passwords and everything into Firefox, so it is honestly not a 3 minute process, more like 30 minutes, and more if you take into account getting the right extensions, like ad-block and flashblock and noscript
Fundamentally, the problem is that most users don't see computers as something to configure, they see it as a tool to use. They don't bother with the "Top 10 list for making Windows faster" because it requires registry edits or going deep into the preferences or something. They're not dumb, it's just that computers aren't their field, and they don't like the idea of spending an hour changing something.
I have to use Explorer at work. A defect tracking system and a time tracking system at work both refuse connections from anything that doesn't identify itself as Explorer, and one of them (I can't remember which) doesn't work if you set up Firefox to pretend to be Explorer.
So, I use Avant -- a wrapper around Explorer that gives multiple tabs and can block ads & pop-ups. It seem invulnerable to this bug, incidentally. Supposedly Netscape 7 can use Explorer for certain websites and the Mozilla rendering engine for others, but I couldn't figure out how to get to work exactly how I wanted, so I punted. I've been pretty happy with Avant since then, but I prefer Firefox for home.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
You're missing the biggest factor.
Most people just don't care what browsering they're using. They just want to check their e-mail and go to myspace. It's as simple as that.
Many of the don't even know what a "browser" is. They call it "The Internet".
That's why people don't switch to Firefox.
I'm shocked, I tell you, I'm shocked!
The world's burning. Moped Jesus spotted on I50. Details at 11.
Things have improved over the years. There are many competent users now. But we can't get complacent. People bring their computers to work for me to fix. It's the same thing every time. These are typical users.
Man, you really need that seminar!
Judging from my own quick go on the test as well as the /. comments, the advisory that this affects 6.x versions is wrong. It would be more useful if there was information on which 6.x versions it affects - is this an issue intoduced in a recent patch, or is it pre-whatever versions only? (And an undetermined number of IE7 versions)
Is this related to the flash player version?
More data needed!
fortune -o
This doesn't work in Firefox. I hate it when people only design their pages for IE!!
This message will self-destruct in 5, 4, 3...
I tried to open the test page in Konqueror and it crashed. I wish I was joking :(
I am trolling
The concept is simple. See the button bar (tab bar on Firefox) up top? Now look down -- see the Status bar down below? In between there is the screen real estate that content should be allowed to touch. Under no circumstances should anything outside of that area be touchable by the browser or any task/thread/job spawned by the browser. Period. The URL bar, button bar, toolbar, and statusbar should be inviolate. Javascript (or ANY script) should be unable to display text in the status bar, thus making it impossible to lie about link location.
Extensions, which are installed explicitly thru a separate procedure, would be the only way to put something in the status bar.
Change the little lock symbol to take up more room in the status bar. Make it list the URL the certificate is issued to next to the lock. If that doesn't match the URL you're on, change the URL bar background to ORANGE (not yellow) and make the lock flash or something. Yes, I know, you clicked "accept this certificate" but it is still a hacked-up cert and needs some cursory attention.
* * *
For those twits that are going to whine "but I don't use the status bar" or "I've rearranged my button/menu/tool bar up top so it isn't that way" this is a trivial issue to work around. This was just a quick way to describe the working screen area for most people.
Learning HOW to think is more important than learning WHAT to think.
The other day I sent out an email to everyone in our company warning them of a new phishing scheme with a copy of the email attached. Within 10 minutes I had not one, but TWO replies to me with people's account/password info.
So not only did they miss the entire message, they also couldn't even give their information to the right person. I wanted to just cry... I honestly think phishers deserve some peoples information.
http://teasphere.wordpress.com - A little spot of tea
hehehe, awesome. The sad part is that phishers do all this elaborate bullshit to fake their requests, when I guarantee a plain text email asking nicely for info would net them just as many results.
http://teasphere.wordpress.com - A little spot of tea
My father is similar. He has built systems for each of us in the past until I knew enough to build my own. He got a computer engineer degree way back when and started out at least playing around with home systems like those little atari PC-type things that used basic. Later on DOS and such with tools such as Lotus for obvious reasons.
.NET, was the first to switch to NT among us (I had hardware issues for the longest time even with Win2K and liked 98SE better since it was more suitable to gaming/etc) and he hasn't even so much as dabbled in some live linux distro where you almost can't screw up (at least, so long as you don't do some moron stunt like dd if=/dev/zero of=/dev/hda or something... But, lol, you deserve what you get then.) This is a computer engineer user who had to start out knowing how to design curcuits and even build his own PC and having to write stuff like machine code. He WILL NOT consider alternatives to IE, Outlook, and other such tools. To my knowledge he has never even attempted another. I constantly tell him how great Opera is (and now that it's 100% free with no ads there's not any excuse not to at least try it anymore) and that Firefox with it's extentions is pretty neat as well, but, he won't even try them.
Despite having spent more than a decade and a half on systems, even starting out before mice were even conceived of, he is not a completely mouse oriented person who doesn't know even simple keyboard shortcuts like CTRL+S. He works extensively with MS products like
If we can't convert people like him, how in the heck are we going to convert people like Mr Average Joe Farmer who doesn't have the vaguest idea how to actually install another browser? They don't want to be bothered with having to do such things.
I have managed to convert my grandmother to Opera though. I had my aunt, but, a while back there was trouble with a really important site and she ended up using IE. I can't seem to get her back now that Opera is compatible with even most of IE's proprietary crap and can fool braindead servers into thinking it is IE so they won't refuse to work anymore. I think I've managed to almost force my mother to switch to Firefox because there were problems with IE (surprise surprise.) I'm working as hard as I can, but, when I step into the computer labs at my school, I see some of the people there using IE, I still can't convert my dad, and, among those people who know even less about things like web browsers I haven't managed to reach anyone but my grandmother.
Someone needs to run an ad campaign for Opera or something. Actually, come to think of it, my first thought was that the opensource Mozilla wouldn't have enough money for marketing, but, then again, considering how much they just donated to a good cause I wonder about that. Right now they rely a bit more than I like on word of mouth (well, ok, Opera is well known in the mobile segment, so many mobile users who enjoy having a browser that runs about as smoothly as you're going to get on a mobile device would be aware of the PC browser perhaps.) Then again, I guess the question is, can you get Average Joe to understand and care that IE is secretly installing backdoors on their system and sending all of their credit card info to some thirteen year old in New Jersey with too much free time? So far they just don't understand and keep on using it.