dslreports logo
 story category
Update on the IE vulnerability
Some facts

An update on the recently reported IE vulnerability that lets people create fake sites that look real and disguise their true address. You can see the bug in action using this hoax site: here (designed by us). If you are on IE, and visit the "site", your Address bar will be wrong (say symantec.com). But your status bar, once in the page, may show something is bogus. If you don't believe it is not Symantec, click the privacy link at the bottom of the page.

You can also see a demo of faking a secure page with padlock and valid certificate (but not one from paypal): here.

Some facts about the vulnerability:

• Once at a fake site, only File..Properties will reveal a strange URL that does not agree with the Address bar.

• It appears that basically all windows MSIE versions are vulnerable.

• If you use MSIE "enhancers" such as IRider, you may be protected from the problem.

• With java script enabled, it is trivial for the hoax site to modify the MSIE "Status bar" to show whatever it wishes.

• Examples have been posted of mostly obscuring the tell-tale info in the IE status bar at the bottom, after you are on a hoax site, even with javascript (Active-Scripting) turned off.

• Microsoft has rated the vulnerability "moderately critical" (is this like "somewhat dead"?) and will not rush out a patch for it, or others spotted this month, due to testing complexities. According to recent news.

• Despite what some newspapers report from the " Secure Data Group. ", Mozilla and other browsers are NOT vulnerable.

Mozilla, firebird and other browsers allow JavaScript to set a status bar title when your mouse hovers over a link to a hoax site, as does IE, but when you have arrived at the hoax site, only IE is faked out where it matters: in the address bar.

• It is possible to fake more than just the domain name. You can fake any location you wish. example.

• Should we panic? no. if you enter web addresses yourself (by typing them) or by using your known good bookmarks, to reach banking and other sites, you have nothing to fear from this vulnerability. As always, beware of unsolicited invitations to "click" -- where the destination site requires any sensitive information from you.

update AOL has updated their mail filters to refuse any mail with these kind of warped links in them .. email gets bounced with the error "554_TRANSACTION_FAILED:__(HVU:B1)_The_URL_contained_in_your_

email_to_AOL_members_has_generated_a_high_volume_of_complaints."

update It is possible to fake an entire site - using web server redirectors. A normal link that is often used and seen on the web etc - "click here for DSL for 11 bucks a month" - could turn into a fake Yahoo-DSL signup page, that included local links that were entirely correct looking, backed by a redirector such that the victim never knew that all local links returned them to new pages on the phish site.

Browsers should consider showing the NAME of the company on the SSL certificate next to the LOCK icon the browser shows for secure sites. That would be of great utility to stop possible fake sites (Phishing) in future. Almost nobody inspects certificates if the browser says they are valid (but valid belonging to whom?). After all, anyone with 39.95 and some basic credentials can get a 128bit certificate now.

by the way : please keep attached comments on this story to any further information or corrections or discoveries? there is a long topic in the security forum and in the comments to the last story, where possibly someone has already said what you are thinking of saying.
view:
topics flat nest 
page: 1 · 2 · next

borborpa
Slipping Slowly Into Oblivion
Premium Member
join:2002-02-20
New Cumberland, PA

borborpa

Premium Member

Another reason to use Firebird...


Amaethon
join:2000-10-22
USA

Amaethon

Member

Re: Another reason to use Firebird...

No fix yet eaither.. shessh
youngmoore
join:2001-03-16
Marietta, GA

youngmoore

Member

Re: Another reason to use Firebird...

this is what I get from firebird
»www.symantec.com%2Fanyth ··· dex.html

from IE
»www.symantec.com/anythin ··· ut/here/

Interesting

From my understanding you can clock the URL line to just about anything you want. I use that for our webmail so it just shows the hostname not the IP.

ym

Xtract
join:2003-04-25
Etheria

Xtract to Amaethon

Member

to Amaethon
I loaded firebird when I read the first article and have not touched IE since.

woody7
Premium Member
join:2000-10-13
Torrance, CA

woody7

Premium Member

Re: Another reason to use Firebird...

said by Xtract:
I loaded firebird when I read the first article and have not touched IE since.

Been using it for a long time now and only use IE for updates........have been a happy camper since

deltat2000
Timor Omnis Abesto
Premium Member
join:2000-04-13
127.0.0.1

deltat2000 to borborpa

Premium Member

to borborpa
Okay...........now that you have me totally paranoid..whats the real url/link to Opera or Firebird?

Hopefully Justin will post it.......I think I'de trust his links...

deltat2000 softly whistles in the dark! and thinks "boy its getting kinda scary online"

Xtract
join:2003-04-25
Etheria

Xtract

Member

Re: Another reason to use Firebird...

Use good old google

jplove71
Premium Member
join:2001-03-16
Scottsdale, AZ

jplove71 to deltat2000

Premium Member

to deltat2000
Mozilla Firebird product page. I've been using Firebird for about 9 months now, Mozilla for 1 1/2 yrs before that, and Netscape 4.x before that.

Glaice
Brutal Video Vault
Premium Member
join:2002-10-01
North Babylon, NY

Glaice to borborpa

Premium Member

to borborpa
Using Firebird since 0.6 and Thunderbird since 0.2

insomniac84
join:2002-01-03
Schererville, IN

1 recommendation

insomniac84

Member

Re: Another reason to use Firebird...

said by Glaice:
Using Firebird since 0.6 and Thunderbird since 0.2

Do you want a cookie?

jose3030
Premium Member
join:1999-08-17
Manassas, VA

jose3030

Premium Member

Re: Another reason to use Firebird...

Just dont track my online movements and we'll be fine!

inciter
Noobie
Premium Member
join:2000-08-30
Rohnert Park, CA

inciter to borborpa

Premium Member

to borborpa
Glad I don't use FireBird! or anything eles but IE! At least they come up with the fixes and warnings. Are you under the same bug? Maybe maybe not.... But at least I know whats wrong with my browser and how to fix it.

Xtract
join:2003-04-25
Etheria

Xtract

Member

Re: Another reason to use Firebird...

And what is your suggestion for fixing this one?

Sperkowitz
Premium Member
join:2002-03-30
Valencia, CA

2 edits

Sperkowitz to inciter

Premium Member

to inciter
Good for you, but since IE is given with the operating system a very high percentage of people will only use IE. In addition, many are not expert programers and are not aware of issues such as these and will be very hurt by these.

Hayward0
K A R - 1 2 0 C
Premium Member
join:2000-07-13
Key West, FL

Hayward0 to inciter

Premium Member

to inciter
said by inciter:
Glad I don't use FireBird! or anything eles but IE! At least they come up with the fixes and warnings. Are you under the same bug? Maybe maybe not.... But at least I know whats wrong with my browser and how to fix it.

Its a shame how easily some can be deluded by MicroGod(soft).... M$ has a long and unwavering history of releasing things long before they are ready and solid, just because they SEEM to work... however they never even seem to attempt to break them. Its is a closed group of self interested developers.
The only reason you know about any of the problems is because someone OUTSIDE M$ found them and embarrassed them into fixing them... Microsoft does not find them themselves. And since the source code is not readily available no one else can look for the problems BEFORE they happen. They just create new "glitter features" that more often than not cause problems, because they haven't worked them hard enough once they have the appearance of working.

Mozilla on the other hand is a consortium of INDEPENDENT developers... and even if a bad apple got in and tried to do something bad... the other would likely spot it before it was even released. Plus there are people going over the code everyday, mostly with the goal of improving it, but also often correcting problems.

But go right a head delude yourself into believing M$ will protect you... you'll get had sooner or later.
jram
join:2003-08-06
Albany, NY

jram to borborpa

Member

to borborpa
I hope this isn't true

A vulnerability which affects Internet Explorer can be exploited by scammers who try to trick people into revealing details of online banking accounts or other private information.

The flaw, wherein Internet Explorer displays the contents of one web site while showing a different, incorrect, address in the browser address bar, is not confined to IE but also affects version 0.7 of the Mozilla Firebird browser, according to a security analyst from Secure Data Group.

Ben Robson said members of the security communirty had found that all users of Internet Explorer 6, Outlook Express 6 and Mozilla Firebird 0.7 - the last-named on both Linux and Windows - were affected by this vulnerability.

However, others have contested the claim that the flaw can be exploited under Mozilla Firebird.

The flaw was disclosed on Wednesday by graphic designer Sam Greenhalgh who has set up a demonstration here.

Robson said the big giveaway in scams like those on eBay, where users were asked to enter details at a bogus website, was that the URL would not match the "eBay.com" address.
advertisement

advertisement

"This new vulnerability allows the attacker to send the victim to a page that looks and behaves just like the eBay site and has the "eBay.com" address in the address bar. But in fact any information the user provides is being sent to another website looking to steal their details," he said.

Robson said a malicious user could use this vulnerability and create a series of fake websites that looked like they were those of a legitimate company.

"They can ask the user for credit card details. However upon going to the page, inspite of what the URL states, the user is in fact at the malicious user's website. As a result the user may unwittingly enter important personal information," he said.

Using a technique such as this with the recent 'eBayUpdates' scam would have made the scam almost impossible to detect until it was too late for thousands of victims, Robson said.

He said it worked with SSL-encrypted links as well. "As such it would be very easy for someone to misrepresent themselves as a bank, or other financial institute and convince the user to input their access details. Even the little 'lock' symbol at the bottom of the browser would look right.

"We have proved that it is possible to direct a web browser to an alternate web server, whilst placing a bank's URL in the address bar, and having the link place the banks URL in the status bar at the bottom of the screen. As such we can see no way that a user might determine that a link is illegitimate," he said.

Neither Microsoft nor the Mozilla project have yet publicly reacted to the news of the vulnerability.

jplove71
Premium Member
join:2001-03-16
Scottsdale, AZ

jplove71

Premium Member

Re: Another reason to use Firebird...

said by jram:
The flaw, wherein Internet Explorer displays the contents of one web site while showing a different, incorrect, address in the browser address bar, is not confined to IE but also affects version 0.7 of the Mozilla Firebird browser, according to a security analyst from Secure Data Group.
The difference between MSIE and Mozilla Firebird is that the fake URL is visible in the address bar in Firebird whereas it isn't when using MSIE.
jram
join:2003-08-06
Albany, NY

jram

Member

Re: Another reason to use Firebird...

Thank-you,I just started using Firebird a couple months ago and have it the way I want..I have a couple of comments,I 'm on the machine at least 7hrs.a day,never been to a site that I have had a problem on ,including on-line banking..They have a extension open with IE just in case..I haven't had any kind of a pop-up since I've been using Firebird,not even the sliding ones.
Last thing,yes IE can be set-up to be secure but it will drive you nuts with them asking all of the time blah blah blah,I have to many things to do to waste my time..

KrK
Heavy Artillery For The Little Guy
Premium Member
join:2000-01-17
Tulsa, OK

KrK to borborpa

Premium Member

to borborpa
Yep, clicked the link and saw.....

(http deleted) " www.symantec.com%01@i.dslr.net/symantec/www.symantec.com/index.html "


Hazeleyze
join:2003-05-09
Wauseon, OH

Hazeleyze to borborpa

Member

to borborpa
After I saw this, I switched to Firebird 0.7. This is my first experience with another browser and I don't miss IE one little bit.

tons of fun
join:2002-10-11
Rochester, NY

tons of fun

Member

K-Meleon

Another reason to use K-Meleon!!

Be well all........& safe!

raw
War Eagle
Premium Member
join:2001-01-17
Madison, AL

raw

Premium Member

Re: K-Meleon

said by tons of fun:
Another reason to use K-Meleon!!
Or Firebird, Epiphany, Konqueror, Galeon, or even stock Mozilla. Heck, anything is safer than IE at this point.

borborpa
Slipping Slowly Into Oblivion
Premium Member
join:2002-02-20
New Cumberland, PA

borborpa

Premium Member

Re: K-Meleon

Don't forget Lynx!!

raw
War Eagle
Premium Member
join:2001-01-17
Madison, AL

raw

Premium Member

Re: K-Meleon

I might as well mention Mosaic while we're at it.
rotorouter6
join:2004-01-17
Carrboro, NC

rotorouter6

Member

Re: K-Meleon

Real men surf with telnet to port 80.

vice8686
join:2000-10-13
Lancaster, CA

vice8686 to tons of fun

Member

to tons of fun
Thanks for mentioning the K-Meleon browser. I like it so far. It's also nice and fast:)

ifarrell
join:2000-08-10
Willow Spring, NC

ifarrell

Member

IE Out.....

I only use IE for Windows Updates and for the few web sites that don't support Firebird that I need access to. I inform the Webmasters in cases like that though.
smpjunky
join:2002-09-12
Norfolk, VA

1 edit

smpjunky

Member

Re: IE Out.....

Which all to often is met by a reply such as, "Sorry but we are unable to support that feature at this time.". Which roughly translates to, "We're to stupid or lazy to implement a non-MS piece of software." Is it really nessisary to build sites with frontpage? I think not.

Edit: Oh, Mozilla 1.4

Radio Active
My pappy's a pistol
Premium Member
join:2003-01-31
Fullerton, CA

Radio Active

Premium Member

Re: IE Out.....

said by smpjunky:
Is it really nessisary to build sites with frontpage?

Only if you have no skills(like me);)

Matt3
All noise, no signal.
Premium Member
join:2003-07-20
Jamestown, NC

Matt3

Premium Member

Ummm......

Ok, so IE shows the proper / and Firebird shows the improper HTML escape code, %2F.

Sounds like a Firebird bug to me.

Mike
Mod
join:2000-09-17
Pittsburgh, PA

Mike

Mod

Re: Ummm......

Safari does the same thing.. that's kind of the way it's typed if you looked at the code..

Matt3
All noise, no signal.
Premium Member
join:2003-07-20
Jamestown, NC

Matt3

Premium Member

Re: Ummm......

said by Mike:
Safari does the same thing.. that's kind of the way it's typed if you looked at the code..

It should be typed that way in the code, otherwise the / might be interpreted as an HTML command, instead of actually displaying the correct character.

So, in that sense, IE is correct in the way it is displaying things.

The part that is INCORRECT and sloppy programming on Microsoft's part, is they should have LIMITED it to only a certain set of characters instead of parsing EVERY escape/control code.

Trel
Good Evening
Premium Member
join:2002-10-08
USA

Trel

Premium Member

put the practicle joke potential

isn't it also funny to claim that you hijacked say google if you do something like this

»www.krahs-emag.com/?page ··· orts.com
jbone_99
join:2003-12-21
Washington, DC

jbone_99

Member

Another one dead!!!

Im getting good at this ppl.... I just put a few of the symbols he used in his bogus URL in my ad blocker and when I refreshed the page guess what??? link gone.

I see Im kinda on the right track but we gotta long road ahead. I must be a fool for trying to save IE lol

TechyDad
Premium Member
join:2001-07-13
USA

1 recommendation

TechyDad

Premium Member

Microsoft's Advice

said by From BetaNews.com:
In the meantime, before a fix is released and while industry pundits argue over proper disclosure, Microsoft advises its customers to follow its "Protect Your PC" guidance program by enabling a firewall, installing all available product updates and employing anti-virus software.
What type of advice is this? Granted, it's good to do all of those things, but that won't stop this particular bug. If a faked out site gets you to submit your personal information then none of those protective measures will stop the data from falling into a hacker's hands. If the faked out site gets you to download and run a program (by exploiting the trust and reputation of the site it's pretending to be), your firewall might alert you, but you would be just as likely to let it through. (After all, it came from a site you know and trust... or so you were tricked into thinking.)

The best advice is don't click on links in unrequested communications.

(Ok, that and perhaps don't use IE, but that's not an option for me. As a web developer, I have to use whichever browser my audience is using, and this means IE for me.)

LordMalak
join:2003-07-02
Brazil

1 recommendation

LordMalak

Member

Re: Microsoft's Advice

said by TechyDad:


The best advice is don't click on links in unrequested communications.


No, the best advice would be "Use another browser."
sir_voltron
join:2001-08-28
Santa Rosa, CA

sir_voltron

Member

Re: Microsoft's Advice

No, I would have to say--educate yourself and DON'T click on it
marcussen
join:2003-02-20
Shawnee, OK

marcussen

Member

No problems with Avant Browser

I use the Avant browser which uses IE as a base but this problem shows up in the address bar making it clear what the address realy is, it also adds pop-up blocker and tabbed browsing, ( »www.avantbrowser.com/ )

AlexNYC
join:2001-06-02
Edwards, CO

AlexNYC

Member

Opera

Here's what Opera is saying:

••••••

liht - lazy
@sprintbbd.net

liht - lazy

Anon

Monkey!

i just think that picture is funny, haha. monkey, lol...funny monkies. hahaha. hes biting the hand. hahahaha.

tons of fun
join:2002-10-11
Rochester, NY

tons of fun

Member

To Hell With I.E.!!!

Click for full size
5 words........

JohnInSJ
Premium Member
join:2003-09-22
Aptos, CA

JohnInSJ

Premium Member

Simple safety net

In IE... go to any of the example Phish sites above...

Click at the end of the address in the address bar
hit spacebar once
hit enter key

Whalla. Back at real site.

You're welcome

•••

Matt3
All noise, no signal.
Premium Member
join:2003-07-20
Jamestown, NC

Matt3

Premium Member

Ahem....

»www.mozillazine.org/talk ··· cle=4078

I have to say, WOW, to the speed at which a preliminary patch was released.
tacosalad8
join:2002-06-27
Hillsboro, OR

tacosalad8

Member

Small, but important, correction

The article suggests that "File/Properties" is the only reliable way to detect this sort of trickery in IE.

Actually, there's a second method that has a few advantages:

- Right click the text (background) of the web page and choose properties from the popup menu to identify the web site that contains the text you're reading. That'll protect you just as well, possibly better because it rules out some additional exploits (eg: so-called "frameless" pop-up windows, or creative use of frames).

It's a small nitpick, but if you're about to access your $100K brokerage account it's worth double-checking whom you're sending your password to!

Ctrl Alt Del
Premium Member
join:2002-02-18

Ctrl Alt Del

Premium Member

IE 5.5 shows URL in title bar

Click for full size
IE 5.5 displays the full and real URL in the title bar???

•••
stark23x
join:2001-04-09
Hamden, CT

stark23x

Member

Netcaptor has already patched this

»www.netcaptor.com IE frontend, tabs, solved the spoof problem already.

mod bait
Premium Member
join:2001-06-11
Rochester, NY

mod bait

Premium Member

Re: Netcaptor has already patched this

said by stark23x:
»www.netcaptor.com IE frontend, tabs, solved the spoof problem already.
NetCaptor doesn't "solve" the spoof exploit; it provides a workaround for NetCaptor users. (MyIE2 does the same thing.)

dja
Happy to Help
Premium Member
join:2002-03-25
Niagara

dja

Premium Member

shameless shill for BBR

I'm so proud!

On what may be my last day with internet service...
I managed to get a link to this article in the LangaList.

Nasty IE Bug Lets Fake Sites Look 100% Real

Glad to promote BBR whenever possible.

Fobulous
Premium Member
join:2002-08-14
Missouri City, TX

1 edit

Fobulous

Premium Member

Firebird and Avantbrowser show the samething

Click for full size
ok i don't understand..

this is what i got with Avant browser.

and it's essentially the samething with Firebird...so i'm not sure why you are saying Firebird is any safer...

Iowan5
Premium Member
join:2002-11-27
Des Moines, IA

Iowan5

Premium Member

Re: Firebird and Avantbrowser show the samething

I use Firebird only.

And IE for updates.
jbone_99
join:2003-12-21
Washington, DC

jbone_99

Member

ANother One DEAD!!!

Im getting good at this ppl.... I just put a few of the symbols Trel used in his bogus URL in my ad blocker and when I refreshed the page guess what??? link gone.

I see Im kinda on the right track but we gotta long road ahead. I must be a fool for trying to save IE lol

DGDTrathole
join:2000-05-07
Newmarket, NH

DGDTrathole

Member

Re: ANother One DEAD!!!

hey I vote just use OPERA...the fastest most secure browser around...also for multiple OSes...

I use it on my MAC, Linux, Windozes...

mastermind278
Premium Member
join:2001-07-12
Clementon, NJ

mastermind278

Premium Member

Good Thing Mcafree catches this...

Click for full size
Good Thing Mcafree catches this...

ATTek
Got Sand?
Premium Member
join:2000-12-13
Glendora, CA

ATTek

Premium Member

Re: Good Thing Mcafree catches this...

Ya, I noticed that too. Doesn't seem like such a big deal now.
page: 1 · 2 · next