New IE Bug Hides Real Site Address 683
Norman at Davis writes "ZDNet is running a story on a new security flaw in Microsoft's Internet Explorer which could let hackers use a technique to display a false Web address on a fake site according to an advisory from the Danish security company Secunia. The Danes report that 'the vulnerability is caused due to an input validation error, which can be exploited by including the "%01" URL encoded representation after the username and right before the "@" character in an URL.' PC World reports that 'Microsoft says it is investigating reports of the vulnerability. When that inquiry is complete, the company will take whatever steps it deems necessary, such as issuing a new patch, a spokesperson says.' And for good measure, here's what Google news is covering on it right now."
This bodes ill (Score:5, Insightful)
Not patching this month...... (Score:5, Insightful)
Still this seems like a major flaw - For the last 3 months I've been recommending to all my friends and family to start using Mozilla. Not saying it's perfect but there's a lot less flaws than IE.
The patch they should issue! (Score:5, Insightful)
Not only would all the IE security problems be gone (in favor of Mozilla security problems, granted, but I suspect those would be more tractable), but we'd also finally have everybody using a browser that actually supported web standards! (Yeah, IE is pretty close nowadays, but I found out recently that simple Java 1.4 applet embedding just won't work from IE if you use the basic codetype="application/java" standard, even if you've downoaded Java 1.4, whereas it does work from Mozilla.)
-Rob
These are pretty nasty bugs. (Score:5, Insightful)
Human nature will pull people in more (Score:5, Insightful)
My boss in 2001 was a pretty cluey guy most of the time. Into his mailbox came one of the eBay scams. "Re-enter your username and password etc and we'll have your records up to date, otherwise your eBay account will be deleted". Partway through doing this he got a bit confused by the process, and I picked up immediately it's not an ebay address. I pointed that out to him. the email's fake. a scammer looking for a way to make a quick scam using his ebay account.
What's he do? goes straight to the main eBay site and starts looking for the equivalent page - he was still on the track of "Must update my ebay account details". It didn't even enter his head that the scam was a COMPLETE scam. half an hour later he's asking again whether or not maybe he should use the URL in the email because he didn't want to lose his eBay account.
A fake URL might catch a few more, but it's peoples attitude, trust of random emails, and acting on autopilot regarding emails that come into their mailbox that catches more than anything else IMHO
Not so bad from a different point of view (Score:2, Insightful)
The patch problem, two-fold (Score:3, Insightful)
The people who patch immediately are basically immune to this anyway - we're not idiots. We know there is no time that PayPal would send us an email even directing us to their site to ask for a password. It's the people that need auto-update every damn day that will fall prey to this.
Sure, most of us patch/encourage updates of those around us, but even that might take some time. There will still easily be weeks of January where "Verify your PayPal account for free Valentine's chocolates sent to your significant other" emails will be rampant.
I like the idea of more predictability to patches, but I don't think it's feasible for reasons like this. The only way to predict when a patch will be needed is to set a schedule for their issue, and then immediately after that all the security problems will be exploited that have been found. i.e. in January serious problems found in December will come out and we'll have hell from then in January. Come the patch for January, all the problems found in January will crawl out, and we'll have hell again.
This will continue, ad extremum nauseum.
Enough ranting, I'll propose a solution. Windows is shipped with an auto-update immediately feature for home users who wouldn't dream of making a configuration change. Then there is a monthly patch that rolls everything together, and Update can be set to use that instead for appropriate machines that are administrated appropriately with users aware of issues. Or perhaps security issues are patched immediately and the latest WMP functionality gets put in the same patch with all the driver updates, etc. that can seriously wait a couple of weeks instead of everyone having to reboot their machines an extra half dozen times a month. There - that's two ideas off the top of my head that I would take over our current state of affairs in a heartbeat.
Re:This bodes ill (Score:5, Insightful)
Comment removed (Score:5, Insightful)
Scares the pants off me... (Score:5, Insightful)
Funny thing about this. (Score:1, Insightful)
Lets hope that in about 3-4 years from now, longhorn will have been decently designed to do thing right.
Now is the time to Push Mozilla and Firebird (Score:5, Insightful)
I find giving people the link (or installing it myself) to the Firebird installer [mozdev.org] and showing them how multiple homepages, pop-up blocking, and tabs work usually wows them.
I'd much rather field some tech support questions about Moz than deal with a frantic relative or friend telling me how all the money in their bank account was stolen by "internet theives."
Paypal et al should be pushing for more secure browsers on their site. I don't see how this could be a business conflict with MS. Paypal has a lot to gain by simply suggesting there are more secure browsers out there.
Come on ... (Score:5, Insightful)
Do you really believe that the same stupid coding error would appear in three different implementations by three different organisations? It's not a flaw in the HTTP protocol's GET request method, it's a flaw in Microsoft's URL handler.
zRe:Not a problem in Opera (Score:1, Insightful)
Opera is more secure indeed. That's not the only reason why we love it, it's
faster
smaller
got more features
Those are the main things really, there's way more to it, so just check it out at www.opera.com
Re:This bodes ill (Score:5, Insightful)
for paypal where there are so many redirect scams.
You're telling me, buddy. Unfortunately Microsoft is not aware that this occurs at all, ever. This is a good example of how unaware they are in general. Meanwhile...
Microsoft did not set a timetable for its investigation, but said it may eventually release a patch to address the problem. Meanwhile, the company recommended that people follow basic security procedures, including the use of firewalls, software updates and antivirus software.
So I should use firewalls and antivirus software. Riiiight. Doesn't address this vulnerability in the slightest. How about I don't use MS software for business-critical financial transactions. Especially since they "may" release a patch. Someday. Like they did for the 1001 other vulnerabilities they did not wnat reported.
Microsoft faulted security mavens for publicizing the flaw, implying that they hadn't given Microsoft sufficient time to craft a patch.
"Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk," the statement reads. "We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality patches for security vulnerabilities with no exposure to malicious attackers while the patch is being developed."
So customers should not be warned that they might be fooled into giving their money to thieves/terrorists because it might embarrass Microsoft. That is irresponsible in itself. Besides Microsoft does not fix vulnerabilities unless they are widely publicized enough that CNN is reporting them and CEOs understand them. Again the only responsible thing to do is to advocate Mozilla for financial transactions.
Results of dumbing down UI (Score:4, Insightful)
Just another example of a solution that solves a problem that doesn't exist and creates security holes.
Re:This bodes ill (Score:2, Insightful)
Go ahead and mod me flamebait if you must. I've got karma to burn. Besides, what good is all that karma if you can't share it. Merry Christmas.
Re:Not so bad from a different point of view (Score:2, Insightful)
Re:Why is it slashdot never reports...... (Score:4, Insightful)
As for this particular problem, as always Bashdork makes it seem like the end of the world, front and center. Check the other responses on this article - Mozilla is also vulnerable. I'm running Mozilla 1.6a (2003110515) and I see the "http://www.microsoft.com/" URL on the Secunia spoof page [secunia.com]. This kind of puts it in perspective, eh?
Mozilla is an excellent browser, that's for sure. But it is what it is because IE4 raised the bar so high (compared to NSN) that there was really nowhere to go. I personally use both, and I'm glad that Mozilla is (finally) giving IE a run for its money. But to go from embarrassed silence to this... well, as so many other areas where open source had to play catch up, the FUD tends to convey the idea that Microsoft has always produced non-functional "crap" and everyone else has been running circles around them forever.
Very funny. Oh, and the "economy cereal" thing? Brilliant. I've heard the same thing said about Mozilla (albeit with a different angle), with its 40-second load times and cluncky one-size-fits-all non standard GUI. Not that I'd agree though. But hey, don't let that put a dent in your superb flaming skillz.
And let's see how long it takes for the Mozilla folks to patch this one. And of course, for all those people running older builds to actually download and install.
MOD PARENT UP (Score:5, Insightful)
Someone is going to make a lot of money with this. For an example of this in action(harmlessly):
http://crayz.dyndns.org/test.html [dyndns.org]
Gotta love microsoft's response (Score:3, Insightful)
How many people are going to give their credit card/bank/paypal info to these sites thinking they are safe because they have norton antivirus or zone alarm running. They are basically telling people not to worry when this is a huge security flaw - the only way to be safe is to type the URL in instead of following links.
I'm gonna be RICH ! (Score:1, Insightful)
Thanks Microsoft!