dslreports logo

story category
Update on the IE vulnerability
Some facts
by justin 11:28AM Friday Dec 12 2003
An update on the recently reported IE vulnerability that lets people create fake sites that look real and disguise their true address. You can see the bug in action using this hoax site: here (designed by us). If you are on IE, and visit the "site", your Address bar will be wrong (say symantec.com). But your status bar, once in the page, may show something is bogus. If you don't believe it is not Symantec, click the privacy link at the bottom of the page.

You can also see a demo of faking a secure page with padlock and valid certificate (but not one from paypal): here.

Some facts about the vulnerability:
• Once at a fake site, only File..Properties will reveal a strange URL that does not agree with the Address bar.
• It appears that basically all windows MSIE versions are vulnerable.
• If you use MSIE "enhancers" such as IRider, you may be protected from the problem.
• With java script enabled, it is trivial for the hoax site to modify the MSIE "Status bar" to show whatever it wishes.
• Examples have been posted of mostly obscuring the tell-tale info in the IE status bar at the bottom, after you are on a hoax site, even with javascript (Active-Scripting) turned off.
• Microsoft has rated the vulnerability "moderately critical" (is this like "somewhat dead"?) and will not rush out a patch for it, or others spotted this month, due to testing complexities. According to recent news.
• Despite what some newspapers report from the " Secure Data Group. ", Mozilla and other browsers are NOT vulnerable.
Mozilla, firebird and other browsers allow JavaScript to set a status bar title when your mouse hovers over a link to a hoax site, as does IE, but when you have arrived at the hoax site, only IE is faked out where it matters: in the address bar.
• It is possible to fake more than just the domain name. You can fake any location you wish. example.
• Should we panic? no. if you enter web addresses yourself (by typing them) or by using your known good bookmarks, to reach banking and other sites, you have nothing to fear from this vulnerability. As always, beware of unsolicited invitations to "click" -- where the destination site requires any sensitive information from you.
update AOL has updated their mail filters to refuse any mail with these kind of warped links in them .. email gets bounced with the error "554_TRANSACTION_FAILED:__(HVU:B1)_The_URL_contained_in_your_
update It is possible to fake an entire site - using web server redirectors. A normal link that is often used and seen on the web etc - "click here for DSL for 11 bucks a month" - could turn into a fake Yahoo-DSL signup page, that included local links that were entirely correct looking, backed by a redirector such that the victim never knew that all local links returned them to new pages on the phish site.

Browsers should consider showing the NAME of the company on the SSL certificate next to the LOCK icon the browser shows for secure sites. That would be of great utility to stop possible fake sites (Phishing) in future. Almost nobody inspects certificates if the browser says they are valid (but valid belonging to whom?). After all, anyone with 39.95 and some basic credentials can get a 128bit certificate now.

by the way : please keep attached comments on this story to any further information or corrections or discoveries? there is a long topic in the security forum and in the comments to the last story, where possibly someone has already said what you are thinking of saying.

72 comments .. click to read