Forgot your password?
typodupeerror
Internet Explorer The Internet Bug Microsoft

New IE Bug Hides Real Site Address 683

Posted by michael
from the can't-blame-the-user-for-this-one dept.
Norman at Davis writes "ZDNet is running a story on a new security flaw in Microsoft's Internet Explorer which could let hackers use a technique to display a false Web address on a fake site according to an advisory from the Danish security company Secunia. The Danes report that 'the vulnerability is caused due to an input validation error, which can be exploited by including the "%01" URL encoded representation after the username and right before the "@" character in an URL.' PC World reports that 'Microsoft says it is investigating reports of the vulnerability. When that inquiry is complete, the company will take whatever steps it deems necessary, such as issuing a new patch, a spokesperson says.' And for good measure, here's what Google news is covering on it right now."
This discussion has been archived. No new comments can be posted.

New IE Bug Hides Real Site Address

Comments Filter:
  • This bodes ill (Score:5, Insightful)

    by panxerox (575545) * on Thursday December 11, 2003 @09:38AM (#7688968)
    for paypal where there are so many redirect scams.
    • by glpierce (731733) on Thursday December 11, 2003 @09:39AM (#7688978) Homepage
      ...and Slashdot, where there are so many people trying to get you to look at goatse
      • Re:This bodes ill (Score:5, Informative)

        by Bobulusman (467474) on Thursday December 11, 2003 @09:59AM (#7689131)
        Actually, although someone will probably prove me wrong, you couldn't do this with a slashdot link. You have to use the unescape command, and I don't see a way to do that with the allowed HTML.

        I'm sure it's main 'use' will be HTML e-mails which lead consumers to fake ebay and paypal sites.
        • Re:This bodes ill (Score:5, Informative)

          by metlin (258108) on Thursday December 11, 2003 @10:54AM (#7689588) Journal
          You're correct.

          I even tried various combinations, including a javascript: in the href tag and it did not work -

          <a href="javascript:location.href=unescape('http://ww w.microsoft.com%01@zapthedingbat.com/security/ex01 /vun2.htm')">test</a>

          Not as bad as it could be. Atleast not yet.
    • As if anyone actually *trusts* their DNS server. HA!
      • Re:This bodes ill (Score:5, Insightful)

        by doon (23278) on Thursday December 11, 2003 @09:58AM (#7689125) Homepage
        Like the avg user that falls for the paypal scam knows what a dns server is. Most people believe/trust everything they read in e-mail as long as the "from" address looks right or it looks official. This one might be rough since it might catch the "smarter" users that at least look at the address bar. Hopefully they will realize that it isn't under ssl, and there is now cert, so that they shouldn't do anything, but I am not holding my breath.
        • Man and people say Slashdot users don't have a sense of humor .... oh wait.
        • Re:Cert? (Score:3, Informative)

          by Derek Pomery (2028)
          Like it would be so hard for a group with dubious credentials to acquire a cert. Browsers don't prompt usually so long as the cert is up to date, and from an official cert authority.
          Who's going to inspect and notice it wasn't issued to the right corporation?
          Well, hopefully any paranoid IE user, for now.
    • Re:This bodes ill (Score:5, Insightful)

      by rifter (147452) on Thursday December 11, 2003 @10:56AM (#7689608) Homepage

      for paypal where there are so many redirect scams.

      You're telling me, buddy. Unfortunately Microsoft is not aware that this occurs at all, ever. This is a good example of how unaware they are in general. Meanwhile...

      Microsoft did not set a timetable for its investigation, but said it may eventually release a patch to address the problem. Meanwhile, the company recommended that people follow basic security procedures, including the use of firewalls, software updates and antivirus software.

      So I should use firewalls and antivirus software. Riiiight. Doesn't address this vulnerability in the slightest. How about I don't use MS software for business-critical financial transactions. Especially since they "may" release a patch. Someday. Like they did for the 1001 other vulnerabilities they did not wnat reported.

      Microsoft faulted security mavens for publicizing the flaw, implying that they hadn't given Microsoft sufficient time to craft a patch.

      "Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk," the statement reads. "We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality patches for security vulnerabilities with no exposure to malicious attackers while the patch is being developed."

      So customers should not be warned that they might be fooled into giving their money to thieves/terrorists because it might embarrass Microsoft. That is irresponsible in itself. Besides Microsoft does not fix vulnerabilities unless they are widely publicized enough that CNN is reporting them and CEOs understand them. Again the only responsible thing to do is to advocate Mozilla for financial transactions.

  • by dew-genen-ny (617738) on Thursday December 11, 2003 @09:40AM (#7688988) Homepage
    Nice. Wonder if they're going to break their word again and distribute yet another patch during december.

    Still this seems like a major flaw - For the last 3 months I've been recommending to all my friends and family to start using Mozilla. Not saying it's perfect but there's a lot less flaws than IE.
    • by Pelorat (174667) on Thursday December 11, 2003 @09:43AM (#7689011)
      Actually, if they're going to break promises, that's a good one to start with.
    • The problem is that it looks like it affects them all.

      If I understand what they are saying, if you put a %01 before the @ symbol then the address bar will display one address while going to a different one. Guess what, so does just putting the @ symbol

      http://www.zdnet.com@slashdot.org

      I'm still not really sure what the problem is. Even if the bug removed the @slashdot.org, it just means that those of us that actually pay attention to the address bar might get fooled. Most people don't pay any attention to

      • by jdreed1024 (443938) on Thursday December 11, 2003 @10:37AM (#7689440)
        The problem is that it looks like it affects them all.

        If I understand what they are saying, if you put a %01 before the @ symbol then the address bar will display one address while going to a different one. Guess what, so does just putting the @ symbol

        http://www.zdnet.com@slashdot.org

        No, no, you're missing the point. Yes, that URL you mentioned will take you to slashdot and not zdnet, fine. But you'll see it in the location bar and know it's a fake. However, with this exploit, if you put a URL encoded ASCII "NUL" (%00) or "SOH" (%01) in the URL, the location bar will not display the @symbol or anything after it. Thus:

        http://www.yahoo.com%01@www.0wnz0red.com/0wn-j00.h tml

        will take people to the "0wn-j00.html" page on 0wnz0red.com, however the location bar will only display:

        http://www.yahoo.com

        Assuming 0wnz0red.com is a well-done forgery, even the most clueful geek would have a really, really, really, hard time telling that he's at anything but yahoo.com. (yeah, yeah, netstat and firewalls and all that, but that's not the point)

        And before you all say it's only %01, it's not - it's %00 as well as %01. Go read the secunia link.

        • by Anonymous Coward
          These are 2 distinct and different bugs.

          "%00" will hide the link in the tooltip and the status bar on both Mozilla and IE. Although Mozilla will correctly display the entire link in the link properties where IE only displays up to the "%00" here also.

          "%01" will not hide the link in the tooltip or the status bar in either Mozilla or IE, but it will make the location bar only show up to the "%01" in IE after you click on the link.
      • The problem is that it looks like it affects them all.

        That is not the case, if it was, it would be a design flaw in html. This is just a case of different handling of an error condition.

        I saw a post somewhere that said that the vulnerability works with either a ascii 1 or an ascii 0 character before the "@".

        Here are 2 exploit pages that I just created, that just have a link to http://slashdot.org @goatse.cx.

        ASCII 0 [rit.edu]
        ASCII 1 [rit.edu]

        (Below are the browsers I just happen to have installed)

        IE6 for windows (for
    • by leifm (641850) on Thursday December 11, 2003 @09:53AM (#7689085)
      I'd recommend Firebird over Mozilla. While I still like Moz a lot I've started using Firebird 98% of the time, it integrates with Windows a bit better, it's faster, and the interface is simplier. And over the last year to year and a half almost every site seems to render correctly with Gecko based browsers, leaving only Windows Update and other ActiveX dependent sites needing IE. IE was a good browser in it's day, but MS has let it stagnate pretty much since 4.0. They're going to have to do more than just add pop-ip blocking for me to use it with any regularity again.
    • I use windows a lot; Linux makes a great server and I use it as such, but in all reality, MS make a good desktop OS for the home user.

      OK, back onto topic. Yes, MS said they wouldnt [need to] release any patches this month. So what. If a vuln has been realised, I would rather they sent the patch out than try to keep their word. This is actually a pretty serious vuln (as mentioned above, paypal scams'll love it) and the sooner its patched, the better
  • Link to POC test (Score:5, Informative)

    by Anonymous Coward on Thursday December 11, 2003 @09:40AM (#7688990)
  • See also (Score:5, Funny)

    by lamery (598414) on Thursday December 11, 2003 @09:40AM (#7688991)
    http://www.microsoft.com/ie_advisory@%01goatse.cx
    • Re:See also (Score:4, Informative)

      by karevoll (630350) on Thursday December 11, 2003 @09:48AM (#7689044) Homepage

      The %01 part should come _before_ the @... and no, it is not just as simple as this... the url must also be unescaped..

      See Here [DevGuru] [devguru.com] if you don't know what to 'unescape' means...

      (Yes, this means that it will be difficult pulling this one off over i.e IRC, where special characters don't necessarily show up on other peoples terminals)


      • Unescaped sounds like it means to NOT put the '\' slashes to escape characters like %, @, etc that can mean different stuff besides just being characters...

        but i'm just guessing here. Can anyone confirm?
  • by Anonymous Coward on Thursday December 11, 2003 @09:40AM (#7688992)
    All that bizarre crap on the SCO website must actually be The Onion playing games...?
  • The example misuse (Score:4, Informative)

    by trystanu (691619) on Thursday December 11, 2003 @09:40AM (#7688993) Homepage
    Is pretty compelling (spoofs Microsoft.com):

    http://www.zapthedingbat.com/security/ex01/vun1.ht m
  • by JavaSavant (579820) on Thursday December 11, 2003 @09:41AM (#7688995) Homepage
    There is no bug, and there will be no patches in December! We will reveal the vulnerabilities of the infidels and they shall tower over our own!

    I don't really get them sometimes, honestly. Is this sort of like their being a SARS outbreak in New York and the CDC saying that they won't look into it for a month?
  • A demonstration (Score:4, Informative)

    by karevoll (630350) on Thursday December 11, 2003 @09:41AM (#7689000) Homepage

    Click here [ZapTheDingBat.com] [zapthedingbat.com] to see an example of how it is done...

    Opera and Mozilla (at least firebird) handles it properly :-)

  • by rknop (240417) on Thursday December 11, 2003 @09:42AM (#7689003) Homepage
    Why not just pull IE from the market altogether and tell everybody to download Mozilla and get on with their lives?

    Not only would all the IE security problems be gone (in favor of Mozilla security problems, granted, but I suspect those would be more tractable), but we'd also finally have everybody using a browser that actually supported web standards! (Yeah, IE is pretty close nowadays, but I found out recently that simple Java 1.4 applet embedding just won't work from IE if you use the basic codetype="application/java" standard, even if you've downoaded Java 1.4, whereas it does work from Mozilla.)

    -Rob
    • >> Why not just pull IE from the market altogether and tell everybody to download Mozilla and get on with their lives?

      ...

      [blink][blink]

      ...

      Yeah, that's going to happen.
    • by gad_zuki! (70830) on Thursday December 11, 2003 @10:16AM (#7689253)
      More importantly why aren't banking sites suggesting users use Moz? Some could argue that if they knew this in advance they are liable for being negligent, like leaving the vault door open.

      It would only be fair to see a link to Moz and Opera on banking sites and suggesting people use these browsers for maximum privacy and security.
      • I work for a bank in their internet division. We list 'supported' browsers, but don't make any recommendations. Why? Because we don't want our telephone representatives providing tech support for our 5 million customers. We tried recommending Netscape about 4 or 5 years ago... "NEVER AGAIN" is our mantra.

        Yes, it sucks. But we're a business and we can't lead technology change. Just be thankful we don't use .asp, Active X, or flash on our site. :)
    • by robbo (4388) <(ten.armis) (ta) (todhsals)> on Thursday December 11, 2003 @10:33AM (#7689398)
      It's not a mozilla/ie issue, it's a social issue. Mozilla is likely to have its share of egregious security holes (but probably not as many). Even if patches are released within hours of the discovery of a bug, the likelihood that joe user will install the patch is slim. We can all hoot and holler-- install Mozilla! but if Mozilla gained majority market share, people would still fail to take the time to patch their systems, and it's inevitable that moz security bugs will be discovered too.
  • by wud (709053) on Thursday December 11, 2003 @09:42AM (#7689006) Homepage Journal
    'Microsoft says it is investigating reports of the vulnerability. When that inquiry is complete, the company will take whatever steps it deems necessary, such as issuing a new patch

    lets just hope they release the patch on purpose this time
  • by maharg (182366) on Thursday December 11, 2003 @09:43AM (#7689009) Homepage Journal
    Secunia rated the vulnerability as "moderately critical."

    How long will it be before someone finds a "critically critical" uber-flaw.
    • How long will it be before someone finds a "critically critical" uber-flaw.

      What I want to know is, just how badly does the regular computer-using public need to get battered, by security holes and other exploits in IE, before they finally just ditch the damn thing?

      I installed Firebird for a co-worker the other day. While I was doing this I explained that they should turn on the pop-up blocker. They were astounded that this feature existed at all. I find this is a very common reaction (which, in turn, a

  • Works fine on IE (Score:2, Informative)

    by nberardi (199555) *
    No bug in my box from some reason. It works fine on my version IE 6.0 on Windows 2000.
  • by Sheetrock (152993) on Thursday December 11, 2003 @09:43AM (#7689013) Homepage Journal
    I've found that people are more likely to encounter these sort of things via e-mail, and that they lend themselves quite easily to fraud/theft. Hopefully, Microsoft will release a patch for this even though it's December, because this will no doubt find its way into (illegitimate) spammers' arsenals.
  • Just after I had a lecture for my parents / friends on how to validate URLs, some shit like this comes up. Using Microsoft products is like fighting windmills all the time. Lucky for me, I have ended all friend-support for anyone not using Linux or MacOS.
    • Lucky for me, I have ended all friend-support for anyone not using Linux or MacOS.

      Or you could've been a bit less drastic and made them switch to more secure apps while keeping the MS OS (yeah I know, not perfect but it's a step in the right direction -- people are less likely to ditch everything at once).

      Why couldn't you just migrate them to Mozilla/Firebird and install some security measures on their computers (good anti-virus, Spybot:S&D, etc)?
  • by rbb (18825) <remco@rc[ ]rg ['6.o' in gap]> on Thursday December 11, 2003 @09:46AM (#7689036) Homepage
    Why people keep on using Internet Explorer is a mystery to me, as these problems have been solved ages ago in browsers like for example Opera [opera.com]:
    Security warning: you are about to go to an address containing a username:

    username: www.paypal.com
    server: rc6.org

    Are you sure you want to go to this address?
    • by RFC959 (121594) on Thursday December 11, 2003 @10:25AM (#7689321) Journal
      The problem is that there are still so many sites that are borken in other browsers. (Well, one of the problems, anyway.) Not necessarily because the other browsers are bad, but because developers assume that everyone is going to have IE, think they should force everyone to use IE, or just don't bother to test at all. Off the top of my head I can think of two sites which are intentionally broken:
      http://www.scps.nyu.edu [nyu.edu] and
      http://www.expensable.com [expensable.com]. (expensable.com, by the way, is an excellent showcase for bad design, but most of it you'd have to log in to see. For example, the main interface is in a popup, and if you have popups blocked, you just can't log in, and it gives you no indication why.) Try going to either of those sites with your User-Agent string set to something unusual. Sure, you and I know how to change that...but for my mom, who can't even figure out how to change her Windows desktop image on her own, that's going to be a deal-breaker.
    • Why people keep on using Internet Explorer is a mystery to me

      Lots of us aren't given a choice. Our desktops at work are locked down, so normal users can't install or change the software available.

      My desktop machine is so locked down that I can't adjust the clock. I have to put in a formal request to IT to have it done whenever the clock gets too far away from reality. And then another request for them to set it to the correct time in my time zone, not theirs.

      At home, it's a differnt story. Mozilla on
      • by Trelane (16124) on Thursday December 11, 2003 @11:45AM (#7690054) Journal

        Have you tried using the Mozilla Zip file version, as opposed to the installer version? Essentially, install goes like:

        1. Download the Zip file containing Moz to My Documents or something (should be under the release page for Mozilla)
        2. Unzip the file to somewhere in My Documents
        3. Optionally, bring in a floppy or something with the plugins for Moz (or copy them from where they might be installed with Moz; getting them from a Netscsape install is optimal, since they're then self-contained). Put the plugins in the plugins sub-directory in your new Mozilla directory.
        4. Go to the new Mozilla directory, and run Mozilla!

        I used it to put Moz on the Windows Ex-Privacy machines at my uni with just my user account. Naturally, you can't change the "System Access Preferences" or whatever it's called since it'd be completely assinine for anyone but Administrator to let the user choose what browser they prefer to use....

        Anti-Trust Penalties my ass.

  • by Amiga Lover (708890) on Thursday December 11, 2003 @09:46AM (#7689037)
    I think the nature of humans to run on autopilot, and that will pull more people in than anything else. A correct-looking url will just add a few more to the gullible.

    My boss in 2001 was a pretty cluey guy most of the time. Into his mailbox came one of the eBay scams. "Re-enter your username and password etc and we'll have your records up to date, otherwise your eBay account will be deleted". Partway through doing this he got a bit confused by the process, and I picked up immediately it's not an ebay address. I pointed that out to him. the email's fake. a scammer looking for a way to make a quick scam using his ebay account.

    What's he do? goes straight to the main eBay site and starts looking for the equivalent page - he was still on the track of "Must update my ebay account details". It didn't even enter his head that the scam was a COMPLETE scam. half an hour later he's asking again whether or not maybe he should use the URL in the email because he didn't want to lose his eBay account.

    A fake URL might catch a few more, but it's peoples attitude, trust of random emails, and acting on autopilot regarding emails that come into their mailbox that catches more than anything else IMHO
  • IE Mac is fine (Score:5, Informative)

    by wolrahnaes (632574) <sean@NoSPAM.seanharlow.info> on Thursday December 11, 2003 @09:46AM (#7689041) Homepage Journal
    Strangely IE 5.2 on OS X.2 is seemingly immune. Wouldn't the two logically use similar codebases and thus be vulnerable to the same attacks?
    • Re:IE Mac is fine (Score:5, Informative)

      by Talthane (699885) on Thursday December 11, 2003 @10:08AM (#7689195)
      No, the Mac and PC versions of IE have nothing to do with one another beyond a superficial similarity in looks. The Mac version of IE has often been ahead of its bigger brother in terms of standards compliance and suchlike - for example, IE 5.2 does not require the CSS "box model hack" that you have to use to get some sites to render properly in IE 5.5 on Windows. They have a totally different codebase - Microsoft just made use of a name with high brand recognition.
    • Re:IE Mac is fine (Score:4, Informative)

      by Deven (13090) <deven@ties.org> on Thursday December 11, 2003 @10:20AM (#7689279) Homepage
      Wouldn't the two logically use similar codebases and thus be vulnerable to the same attacks?

      You would think so, wouldn't you? No, a separate development team worked on IE for the Mac; the codebases weren't unified at all. From all reports, IE on the Mac was better than IE on Windows in many ways, particularly standards compliance. Go figure!
  • ... after all, friends don't let friends use Microsoft :-)
  • by nikster (462799) on Thursday December 11, 2003 @09:51AM (#7689072) Homepage
    click on the test button on this [heise.de] page.... it's quite scary.

    Of course, you have to use Internet Explorer to see it.

    Internet Explorer is usually found under C:\Program Files\Internet Explorer ;)

  • by liquidpele (663430) on Thursday December 11, 2003 @09:53AM (#7689090) Journal

    You can buy it direct from microsoft.com No, it's really microsoft.com, I promise.
  • As bad as this may seem, perhaps it will push users into other browsers. Microsoft has already said that future IE versions will only be available through an OS upgrade. Perhaps the less enlightened will become enlightened when they find that IE X.X is no longer supported and [insert vulnerablity here] can only be fixed with an OS upgrade because you can't just get an IE upgrade. Maybe then, the less enlightened will just get another browser and then be enlightened.
  • by LilJC (680315) on Thursday December 11, 2003 @09:57AM (#7689115)
    The issue of "read my lips, no new patches" (for December) here is obvious. But now we have two problems. It normally takes a month for a fraction of end users to update even after a patch is issued. Even if this patch is issued immediately when MS said it can be, do you really think that people are going to wake up bright and aware after New Year's Eve and patch their machines?

    The people who patch immediately are basically immune to this anyway - we're not idiots. We know there is no time that PayPal would send us an email even directing us to their site to ask for a password. It's the people that need auto-update every damn day that will fall prey to this.

    Sure, most of us patch/encourage updates of those around us, but even that might take some time. There will still easily be weeks of January where "Verify your PayPal account for free Valentine's chocolates sent to your significant other" emails will be rampant.

    I like the idea of more predictability to patches, but I don't think it's feasible for reasons like this. The only way to predict when a patch will be needed is to set a schedule for their issue, and then immediately after that all the security problems will be exploited that have been found. i.e. in January serious problems found in December will come out and we'll have hell from then in January. Come the patch for January, all the problems found in January will crawl out, and we'll have hell again.

    This will continue, ad extremum nauseum.

    Enough ranting, I'll propose a solution. Windows is shipped with an auto-update immediately feature for home users who wouldn't dream of making a configuration change. Then there is a monthly patch that rolls everything together, and Update can be set to use that instead for appropriate machines that are administrated appropriately with users aware of issues. Or perhaps security issues are patched immediately and the latest WMP functionality gets put in the same patch with all the driver updates, etc. that can seriously wait a couple of weeks instead of everyone having to reboot their machines an extra half dozen times a month. There - that's two ideas off the top of my head that I would take over our current state of affairs in a heartbeat.

  • Microsoft update routinely resets "program access and defaults." Most annoying, but not what this note is about.

    On three occasions, with two different users, I have observed that Netscape/Mozilla profiles have disappeared following Microsoft update. Just a concidence? Perhaps, but after the third occurrence I have become suspicious.

    Because Microsoft update is an opaque process, there's no way I can even attempt to 'reproduce the problem' as I would normally do in similar circumstances.

    So I'll ask /.:
    • On three occasions, with two different users, I have observed that Netscape/Mozilla profiles have disappeared following Microsoft update. Just a concidence? Perhaps, but after the third occurrence I have become suspicious.

      One time I played with the application that let's you set your default browser and email package - the thing that Microsoft had to do because of the DOJ ruling. It completely screwed up Mozilla - it actually renamed files in the Mozilla directory, I kid you not. I couldn't believe it. I
      • Your experience would be consistent with mine. As I mentioned, Update routinely sets the default mailer to Outlook, and I have to reset it using the DOJ-mandated tool. So it could be that the tool is messing me up rather than the update. But it is still a consequence of the update, and still evil.

        If indeed the tool is the culprit, it may be easier than I had originally thought to reproduce the problem, and hence build a case against Microsoft. At least a case against their software. Proving intent wou
  • Is this really significant?

    I can create a web page that opens a window with NO menu at the top, buttons, or address bar (pop-ups do this all the time). And then I can have that web page CONTAIN a substitute menu, buttons, and address bar. In that fake address bar, I can write "www.microsoft.com", just like the sample demonstration. Simple exploit. May fool some people. May get them to enter their credit card info.

    Better yet... imagine this.... set up a whole www.ammazon.com (sic) site that looks l

  • by pubjames (468013) on Thursday December 11, 2003 @10:07AM (#7689190)
    Personally I think this is one of the worst security holes I've seen in ages. Why? - very easy to do and very useful if you're trying to do something fraudulent. I don't understand why they rated this "moderately critical" - personally I think it should be rated "super critical with mayo and large fries and a banana shake (with chocolate sprinklings)"

  • by gad_zuki! (70830) on Thursday December 11, 2003 @10:12AM (#7689218)
    At least I've been having more success pushing alternatives to MS when scary MS articles come out.

    I find giving people the link (or installing it myself) to the Firebird installer [mozdev.org] and showing them how multiple homepages, pop-up blocking, and tabs work usually wows them.

    I'd much rather field some tech support questions about Moz than deal with a frantic relative or friend telling me how all the money in their bank account was stolen by "internet theives."

    Paypal et al should be pushing for more secure browsers on their site. I don't see how this could be a business conflict with MS. Paypal has a lot to gain by simply suggesting there are more secure browsers out there.
  • A similar phishing exploit can be done using chrome-free windows (see earlier story) with the IE toolbar, address bar and even the little SSL padlock inserted as a GIF (just cut and paste from a screen dump of the real site). So the victim's screen looks exactly like www.fatcatbank.com when it's really at www.russianmafiaownzj00.ru. Mousing over the address bar would give the game away with this simple example, but it's not impossible to use HTML forms to make an address bar that works.
  • Similar IE bug (Score:5, Interesting)

    by sopuli (459663) on Thursday December 11, 2003 @10:34AM (#7689404)
    A little experimentation with this bug yielded another similar bug. The following bit of html:
    <a href="http://www.sco.com%00@www.fsf.org">click me</a>
    when this is displayed in IE, and you hover the mouse over the link, it will display "www.sco.com" in the in the status bar, but when you click it, it will take you to "www.fsf.org". I'll leave it to the reader to replace the latter link with a more offensive one...
  • Still.. (Score:3, Informative)

    by Dwedit (232252) on Thursday December 11, 2003 @10:35AM (#7689414) Homepage
    Even if it's hidden in the address bar, you can do File > Properties to see the full URL.

    And no, this bug won't work on slashdot since slashdot removes the username parts of a URL, and also removes the DOS smileyface character from posts.
  • Exposed Cookies? (Score:4, Interesting)

    by Terragen (727874) on Thursday December 11, 2003 @10:55AM (#7689601)
    Does IE know its being tricked, or does it know the real site and just display the wrong one?

    I'm wondering if some shady types could use this exploit to get your cookies for any site of their choosing.. that just might be a slight problem :/
  • by Wolfier (94144) on Thursday December 11, 2003 @11:05AM (#7689690)
    If MS browser actually displays everything on the address bar without filtering of any sort, problem would not have existed.

    Just another example of a solution that solves a problem that doesn't exist and creates security holes.
  • by jfengel (409917) on Thursday December 11, 2003 @11:35AM (#7689982) Homepage Journal
    I was baffled to discover that my browser (Firebird) supports the @ redirection at all. I've been unable to uncover any W3C or RFC standard that covers it, though presumably one exists. Can somebody point me to it?

    Perhaps that would explain why such a silly feature exists at all. It seems to have no other purpose than for spoofing.
    • by HeghmoH (13204) on Thursday December 11, 2003 @12:19PM (#7690406) Homepage Journal
      It's covered in RFC 1738 [ohio-state.edu]. Look for section 3.1 Common Internet Scheme Syntax.

      Basically, it allows you to specify a username and possibly a password as part of a URL. http://w:x@y.com says to connect to y.com with username w, password x. The URL http://w@x.com means to connect to x.com with username w. This is not in particularly common use for HTTP, but it can be useful for sites that use HTTP authentication.

      Web servers ignore the username and password if you connect to a page that doesn't require authentication, so for most sites, everything before the @ is simply ignored.

      So this really is part of a standard, and it exists for a good reason. It's not a redirection at all, but simply a part of the URL standard that isn't used often enough for people to know what it means. The whole spoofing this is a completely unintended consequence of that.
  • Perfect (Score:3, Interesting)

    by KalvinB (205500) on Thursday December 11, 2003 @12:12PM (#7690315) Homepage
    One more trivial tell to drop crap e-mails from my inbox.

    If an e-mail contains the characters "%01@" or "%00@" kill it.

    I can't think of any reason why those strings of characters would legitimatly found in an e-mail.

    This "exploit" has very very few practical applications that would actually fool anybody. No legitimate company sends out an e-mail asking to verify your information by clicking on a link. This doesn't change anything in that area. So instead of telling grandma not to click on links in e-mails that look "suspicious" how about telling her simply to not divulge any information to web-sites that ask for that information through an e-mail.

    If PayPal needs to verify your information they ask AFTER you log in. They may send an e-mail saying they need you to log into your account to take care of something.

    So for a real world example, if Grandma get's an e-mail from "PayPal" or her "bank" telling her that she needs to validate some information tell her to open her browser and go to her bank's web-site the old fashioned way of typing it in, to log into her account and then see if any notices are there.

    If not, the e-mail is a fake. If a notice is there, do what the notice says on the site.

    Simple lesson for grandma: Never click on a click from an e-mail to verify information. ALWAYS manually type in the URL for the company you're involved with asking for your information, log in, and THEN look for notices and do what they say. Grandma should already know not to give information to companies she has no knowledge about.

    Anyone throwing up their hands about having to reteach grandma, didn't teach grandma properly in the first.

    There's a very generic object lesson here that has zero to do trying to see if a URL is being sneaky that you should have taught her years ago when the first "click here to update your info" scams came through.

    Ben
  • by alwsn (593349) on Thursday December 11, 2003 @12:28PM (#7690505)
    I use proxomitron (You can google to find it) as an ad block and a general crap filter. Since I use a really nice browser based on the IE rendering engine (MyIE2) it's important for me to block crap like this out.

    To nuke this exploit from links you follow on a website (it won't help if you follow it from an e-mail or paste it into the address box, but if you are duped by that, they you probably aren't reading slashdot) you can ad this rule to the proxomitron (or a similar one to Privoxy, and open source equivilent)

    (Matching expession)
    http*@

    (Replacement text)
    !@!
    and it will do a nice job of blocking all of these links.
  • by moojin (124799) on Thursday December 11, 2003 @12:30PM (#7690519)
    take this example email to a corporate user from a malicious person. the email is a simple example, i'm sure other more complex examples can be created:

    To: corporate user
    From: corporate help desk
    Subject: MANDATORY: Username and password verification

    Last night, one of our authentication servers went down and we need to rebuild the our database. To make this process easier for us, please use the form below to verify your username and password.

    http://our.corporate.intranet%01@www.malicious_s it e.com/username_and_password_verification.html

    Thank you for your cooperation.

    IT Help Desk

    ===

    i can't believe that MS is just considering a patch for this. i would write to your corporate internet security officer and urge this person to take a look at this MS IE vulnerability and also to switch to Mozilla. this could be mozilla's chance.

  • by jerrytcow (66962) on Thursday December 11, 2003 @01:58PM (#7691341) Homepage
    Microsoft did not set a timetable for its investigation, but said it may eventually release a patch to address the problem. Meanwhile, the company recommended that people follow basic security procedures, including the use of firewalls, software updates and antivirus software.

    How many people are going to give their credit card/bank/paypal info to these sites thinking they are safe because they have norton antivirus or zone alarm running. They are basically telling people not to worry when this is a huge security flaw - the only way to be safe is to type the URL in instead of following links.
  • by InfoSec (208475) on Thursday December 11, 2003 @02:45PM (#7691853) Homepage
    That it doesn't fool the security zones in IE. If you have a site in your "Trusted Sites" zone, and you try to spoof that site using the mentioned vulnerability, the Address Bar shows false, but the Zone is not fooled. Thank heavens for small miracles.
  • by BandwidthHog (257320) <inactive.slashdo ... icallyenough.com> on Thursday December 11, 2003 @04:10PM (#7692695) Homepage Journal
    Who says MS doesn't release patches faster than Linux?

    www.microsoft.com/ie/download%01@ftp.mozilla.org /p ub/mozilla.org/firebird/releases/0.7/MozillaFirebi rd-0.7-win32.zip

From Sharp minds come... pointed heads. -- Bryan Sparrowhawk

Working...