An update on the recently reported
IE vulnerability that lets people create fake sites that look real and disguise their true address. You can see the bug in action using this hoax site: here
(designed by us). If you are on IE, and visit the "site", your Address bar will be wrong (say symantec.com). But your status bar, once in the page, may show something is bogus. If you don't believe it is not Symantec, click the privacy link at the bottom of the page.
You can also see a demo of faking a secure page with padlock and valid certificate
(but not one from paypal): here
Some facts about the vulnerability:
• Once at a fake site, only File..Properties will reveal a strange URL that does not agree with the Address bar.
• It appears that basically all windows MSIE versions are vulnerable.
• If you use MSIE "enhancers" such as IRider, you may be protected from the problem.
• With java script enabled, it is trivial for the hoax site to modify the MSIE "Status bar" to show whatever it wishes.
• Microsoft has rated the vulnerability "moderately critical" (is this like "somewhat dead"?) and will not rush out a patch for it, or others spotted this month, due to testing complexities. According to recent news
• Despite what some newspapers
report from the " Secure Data Group. ", Mozilla and other browsers are NOT vulnerable.
• It is possible to fake more than just the domain name. You can fake any location you wish. example
• Should we panic? no. if you enter web addresses yourself (by typing them) or by using your known good bookmarks, to reach banking and other sites, you have nothing to fear from this vulnerability. As always, beware of unsolicited invitations to "click" -- where the destination site requires any sensitive information from you.
AOL has updated their mail filters to refuse any mail with these kind of warped links in them .. email gets bounced with the error "554_TRANSACTION_FAILED:__(HVU:B1)_The_URL_contained_in_your_
It is possible to fake an entire site - using web server redirectors. A normal link that is often used and seen on the web etc - "click here for DSL for 11 bucks a month" - could turn into a fake Yahoo-DSL signup page, that included local links that were entirely
correct looking, backed by a redirector such that the victim never knew that all local links returned them to new pages on the phish site.
Browsers should consider showing the NAME of the company on the SSL certificate next to the LOCK icon the browser shows for secure sites. That would be of great utility to stop possible fake sites (Phishing) in future. Almost nobody inspects certificates if the browser says they are valid (but valid belonging to whom?). After all, anyone with 39.95 and some basic credentials can get a 128bit certificate now.
by the way : please keep attached comments on this story to any further information or corrections or discoveries? there is a long topic in the security forum
and in the comments to the last story, where possibly someone has already said what you are thinking of saying.