New IE Bug Hides Real Site Address 683
Norman at Davis writes "ZDNet is running a story on a new security flaw in Microsoft's Internet Explorer which could let hackers use a technique to display a false Web address on a fake site according to an advisory from the Danish security company Secunia. The Danes report that 'the vulnerability is caused due to an input validation error, which can be exploited by including the "%01" URL encoded representation after the username and right before the "@" character in an URL.' PC World reports that 'Microsoft says it is investigating reports of the vulnerability. When that inquiry is complete, the company will take whatever steps it deems necessary, such as issuing a new patch, a spokesperson says.' And for good measure, here's what Google news is covering on it right now."
This bodes ill (Score:5, Insightful)
Re:This bodes ill (Score:5, Funny)
Re:This bodes ill (Score:5, Informative)
I'm sure it's main 'use' will be HTML e-mails which lead consumers to fake ebay and paypal sites.
Re:This bodes ill (Score:5, Informative)
I even tried various combinations, including a javascript: in the href tag and it did not work -
<a href="javascript:location.href=unescape('http://w
Not as bad as it could be. Atleast not yet.
Re:This bodes ill (Score:2, Funny)
Re:This bodes ill (Score:5, Insightful)
Re:This bodes ill (Score:3, Funny)
Re:Cert? (Score:3, Informative)
Who's going to inspect and notice it wasn't issued to the right corporation?
Well, hopefully any paranoid IE user, for now.
Re:This bodes ill (Score:5, Insightful)
for paypal where there are so many redirect scams.
You're telling me, buddy. Unfortunately Microsoft is not aware that this occurs at all, ever. This is a good example of how unaware they are in general. Meanwhile...
Microsoft did not set a timetable for its investigation, but said it may eventually release a patch to address the problem. Meanwhile, the company recommended that people follow basic security procedures, including the use of firewalls, software updates and antivirus software.
So I should use firewalls and antivirus software. Riiiight. Doesn't address this vulnerability in the slightest. How about I don't use MS software for business-critical financial transactions. Especially since they "may" release a patch. Someday. Like they did for the 1001 other vulnerabilities they did not wnat reported.
Microsoft faulted security mavens for publicizing the flaw, implying that they hadn't given Microsoft sufficient time to craft a patch.
"Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk," the statement reads. "We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality patches for security vulnerabilities with no exposure to malicious attackers while the patch is being developed."
So customers should not be warned that they might be fooled into giving their money to thieves/terrorists because it might embarrass Microsoft. That is irresponsible in itself. Besides Microsoft does not fix vulnerabilities unless they are widely publicized enough that CNN is reporting them and CEOs understand them. Again the only responsible thing to do is to advocate Mozilla for financial transactions.
Supply a link, this article says IE only. (Score:4, Informative)
Doesn't affect my version of Mozilla (Score:4, Informative)
- Win IE 6.0
- Mac IE 1.5
- Win Mozilla 1.4.1
- Mac Mozilla 1.4
The only one affected was Win IE.If any Mozilla versions later than 1.4.1 were to be affected, I'm willing to bet the Mozilla release would be patched within a day, whereas Microsoft would take a minimum of two weeks and a max of maybe never.
Firebird fails in the status bar, sort of (Score:5, Informative)
Not patching this month...... (Score:5, Insightful)
Still this seems like a major flaw - For the last 3 months I've been recommending to all my friends and family to start using Mozilla. Not saying it's perfect but there's a lot less flaws than IE.
Re:Not patching this month...... (Score:5, Funny)
Re:Not patching this month...... (Score:2, Interesting)
The problem is that it looks like it affects them all.
If I understand what they are saying, if you put a %01 before the @ symbol then the address bar will display one address while going to a different one. Guess what, so does just putting the @ symbol
http://www.zdnet.com@slashdot.org
I'm still not really sure what the problem is. Even if the bug removed the @slashdot.org, it just means that those of us that actually pay attention to the address bar might get fooled. Most people don't pay any attention to
Re:Not patching this month...... (Score:5, Informative)
If I understand what they are saying, if you put a %01 before the @ symbol then the address bar will display one address while going to a different one. Guess what, so does just putting the @ symbol
http://www.zdnet.com@slashdot.org
No, no, you're missing the point. Yes, that URL you mentioned will take you to slashdot and not zdnet, fine. But you'll see it in the location bar and know it's a fake. However, with this exploit, if you put a URL encoded ASCII "NUL" (%00) or "SOH" (%01) in the URL, the location bar will not display the @symbol or anything after it. Thus:
http://www.yahoo.com%01@www.0wnz0red.com/0wn-j00.h tml
will take people to the "0wn-j00.html" page on 0wnz0red.com, however the location bar will only display:
http://www.yahoo.com
Assuming 0wnz0red.com is a well-done forgery, even the most clueful geek would have a really, really, really, hard time telling that he's at anything but yahoo.com. (yeah, yeah, netstat and firewalls and all that, but that's not the point)
And before you all say it's only %01, it's not - it's %00 as well as %01. Go read the secunia link.
Re:Not patching this month...... (Score:3, Informative)
"%00" will hide the link in the tooltip and the status bar on both Mozilla and IE. Although Mozilla will correctly display the entire link in the link properties where IE only displays up to the "%00" here also.
"%01" will not hide the link in the tooltip or the status bar in either Mozilla or IE, but it will make the location bar only show up to the "%01" in IE after you click on the link.
HowTo Exploit (Score:5, Interesting)
Create a local document:
Note that thanks to Slashdot the code is munged. Remember to remove the extra-Slashdot-added spaces.
Open this up in Internet Explorer and you'll see the text, with the "%01" character helpfully encoded into the string for you. Copy this string into another document:
Note that in this example, the encoded "%01" has been stripped out by Slashdot. Your copy & pasted string will include this character (It may appear as an empty "Box" symbol)
Save & open the file in Internet Explorer. Surprise!
But wait! There's more! If the user hovers over the link they'll see a funny looking URL in the status bar. We can fix that, though. Edit your file and add the "%00" to that URL E.g.
Again, the encoded "%01" has been stripped by Slashdot. Ensure that you add the "%00" after the encoded "%01" or this won't work. Now save the file again, and re-open it in IE. Now where does that link go?
Feeling lucky, punk?
MOD PARENT UP (Score:5, Insightful)
Someone is going to make a lot of money with this. For an example of this in action(harmlessly):
http://crayz.dyndns.org/test.html [dyndns.org]
Results of the exploit in different browsers (Score:3, Informative)
That is not the case, if it was, it would be a design flaw in html. This is just a case of different handling of an error condition.
I saw a post somewhere that said that the vulnerability works with either a ascii 1 or an ascii 0 character before the "@".
Here are 2 exploit pages that I just created, that just have a link to http://slashdot.org @goatse.cx.
ASCII 0 [rit.edu]
ASCII 1 [rit.edu]
(Below are the browsers I just happen to have installed)
IE6 for windows (for
Re:Not patching this month...... (Score:5, Informative)
Yes, things like FTP logins rely on that. URLs are subsets of URIs which have a lot more useful things.
For example, if you need to go to a FTP site that has a login, you can type in your address bar:
ftp://user:pass@ftp.mysite.com
That will automatically log you in with your user name and password. You could also do just:
user@ftp.mysite.com
And it will prompt you for your password
Re:Not patching this month...... (Score:5, Informative)
Re:Not patching this month...... (Score:2)
Re:Not patching this month...... (Score:2)
OK, back onto topic. Yes, MS said they wouldnt [need to] release any patches this month. So what. If a vuln has been realised, I would rather they sent the patch out than try to keep their word. This is actually a pretty serious vuln (as mentioned above, paypal scams'll love it) and the sooner its patched, the better
Link to POC test (Score:5, Informative)
See also (Score:5, Funny)
Re:See also (Score:4, Informative)
The %01 part should come _before_ the @... and no, it is not just as simple as this... the url must also be unescaped..
See Here [DevGuru] [devguru.com] if you don't know what to 'unescape' means...
(Yes, this means that it will be difficult pulling this one off over i.e IRC, where special characters don't necessarily show up on other peoples terminals)
Re: (Score:2)
That would explain a lot (Score:5, Funny)
The example misuse (Score:4, Informative)
http://www.zapthedingbat.com/security/ex01/vun1.h
Re:The example misuse (Score:2)
http://www.zapthedingbat.com/security/ex01/vun1.h
Re:The example misuse (Score:2)
Re:The example misuse (Score:5, Interesting)
Comment removed (Score:5, Insightful)
Re:That isn't much better though! (Score:5, Interesting)
It would be possible (trivial?) to put a feature in our favourite open source browser to give a security warning when you visit such a URL. Just something that tells you about the possibility that you're at a site different to the one you think you're at. It would just need to ensure that the actual domain is made obvious. eg.
You would just need to search for 'www.' or one of the TLDs in the part of the URL before the @ sign.
Re: (Score:2)
Word from the Microsoft Information Minister (Score:5, Funny)
I don't really get them sometimes, honestly. Is this sort of like their being a SARS outbreak in New York and the CDC saying that they won't look into it for a month?
Re:Word from the Microsoft Information Minister (Score:2, Funny)
A demonstration (Score:4, Informative)
Click here [ZapTheDingBat.com] [zapthedingbat.com] to see an example of how it is done...
Opera and Mozilla (at least firebird) handles it properly :-)
Re:A demonstration (Score:2, Funny)
So how do I know it's real?
Re:A demonstration (Score:2)
I need more coffee
Re:A demonstration (Score:2)
The demonstration works here.
The patch they should issue! (Score:5, Insightful)
Not only would all the IE security problems be gone (in favor of Mozilla security problems, granted, but I suspect those would be more tractable), but we'd also finally have everybody using a browser that actually supported web standards! (Yeah, IE is pretty close nowadays, but I found out recently that simple Java 1.4 applet embedding just won't work from IE if you use the basic codetype="application/java" standard, even if you've downoaded Java 1.4, whereas it does work from Mozilla.)
-Rob
Re: (Score:2)
Re:The patch they should issue! (Score:5, Interesting)
It would only be fair to see a link to Moz and Opera on banking sites and suggesting people use these browsers for maximum privacy and security.
Re:The patch they should issue! (Score:3, Informative)
Yes, it sucks. But we're a business and we can't lead technology change. Just be thankful we don't use
Re:The patch they should issue! (Score:5, Interesting)
Re:The patch they should issue! (Score:2)
MicrowhocaresjustuseandOSOS (Score:4, Funny)
lets just hope they release the patch on purpose this time
moderately critical (Score:4, Funny)
How long will it be before someone finds a "critically critical" uber-flaw.
ludicrously critical (Score:2)
What I want to know is, just how badly does the regular computer-using public need to get battered, by security holes and other exploits in IE, before they finally just ditch the damn thing?
I installed Firebird for a co-worker the other day. While I was doing this I explained that they should turn on the pop-up blocker. They were astounded that this feature existed at all. I find this is a very common reaction (which, in turn, a
Works fine on IE (Score:2, Informative)
Re:Works fine on IE (Score:3, Informative)
What is your version-number? Mine is 6.0.2800.1106, and I can confirm that its working (infortunately)...
Have tried some examples? Such as this one? [zapthedingbat.com] [zapthedingbat.com]
Re:Works fine on IE (Score:5, Funny)
Re:Works fine on IE (Score:2)
Re:Works fine on IE (Score:3, Informative)
The new version doesn't fool the address bar, but I wouldn't be surprised if there's some combination of characters that does.
These are pretty nasty bugs. (Score:5, Insightful)
Goddamn it! (Score:2)
Re:Goddamn it! (Score:2)
Or you could've been a bit less drastic and made them switch to more secure apps while keeping the MS OS (yeah I know, not perfect but it's a step in the right direction -- people are less likely to ditch everything at once).
Why couldn't you just migrate them to Mozilla/Firebird and install some security measures on their computers (good anti-virus, Spybot:S&D, etc)?
Re:Goddamn it! (Score:2)
Not a problem in Opera (Score:5, Informative)
Re:Not a problem in Opera (Score:4, Informative)
http://www.scps.nyu.edu [nyu.edu] and
http://www.expensable.com [expensable.com]. (expensable.com, by the way, is an excellent showcase for bad design, but most of it you'd have to log in to see. For example, the main interface is in a popup, and if you have popups blocked, you just can't log in, and it gives you no indication why.) Try going to either of those sites with your User-Agent string set to something unusual. Sure, you and I know how to change that...but for my mom, who can't even figure out how to change her Windows desktop image on her own, that's going to be a deal-breaker.
Re:Not a problem in Opera (Score:3, Interesting)
Lots of us aren't given a choice. Our desktops at work are locked down, so normal users can't install or change the software available.
My desktop machine is so locked down that I can't adjust the clock. I have to put in a formal request to IT to have it done whenever the clock gets too far away from reality. And then another request for them to set it to the correct time in my time zone, not theirs.
At home, it's a differnt story. Mozilla on
Re:Not a problem in Opera (Score:4, Interesting)
Have you tried using the Mozilla Zip file version, as opposed to the installer version? Essentially, install goes like:
I used it to put Moz on the Windows Ex-Privacy machines at my uni with just my user account. Naturally, you can't change the "System Access Preferences" or whatever it's called since it'd be completely assinine for anyone but Administrator to let the user choose what browser they prefer to use....
Anti-Trust Penalties my ass.
Re:Not a problem in Opera (Score:5, Interesting)
I don't use Opera, but I suspect the same is true. If it isn't, then why would you want a browser that intentionally misrenders pages for which the author did not clearly state a doctype? Aren't you just hurting yourself?
ideal:
doctype def == strict or "standards" rendering
no doctype == loose
This way you get to see most sites on the web, and those authors who have taken the care to craft their pages properly get their pages rendered in the fashion in which they intended.
Human nature will pull people in more (Score:5, Insightful)
My boss in 2001 was a pretty cluey guy most of the time. Into his mailbox came one of the eBay scams. "Re-enter your username and password etc and we'll have your records up to date, otherwise your eBay account will be deleted". Partway through doing this he got a bit confused by the process, and I picked up immediately it's not an ebay address. I pointed that out to him. the email's fake. a scammer looking for a way to make a quick scam using his ebay account.
What's he do? goes straight to the main eBay site and starts looking for the equivalent page - he was still on the track of "Must update my ebay account details". It didn't even enter his head that the scam was a COMPLETE scam. half an hour later he's asking again whether or not maybe he should use the URL in the email because he didn't want to lose his eBay account.
A fake URL might catch a few more, but it's peoples attitude, trust of random emails, and acting on autopilot regarding emails that come into their mailbox that catches more than anything else IMHO
IE Mac is fine (Score:5, Informative)
Re:IE Mac is fine (Score:5, Informative)
Re:IE Mac is fine (Score:4, Informative)
You would think so, wouldn't you? No, a separate development team worked on IE for the Mac; the codebases weren't unified at all. From all reports, IE on the Mac was better than IE on Windows in many ways, particularly standards compliance. Go figure!
Time to declare a War on Bugs... (Score:2)
check here to test your browser (Score:5, Informative)
Of course, you have to use Internet Explorer to see it.
Internet Explorer is usually found under C:\Program Files\Internet Explorer
Comment removed (Score:5, Funny)
Not so bad from a different point of view (Score:2, Insightful)
The patch problem, two-fold (Score:3, Insightful)
The people who patch immediately are basically immune to this anyway - we're not idiots. We know there is no time that PayPal would send us an email even directing us to their site to ask for a password. It's the people that need auto-update every damn day that will fall prey to this.
Sure, most of us patch/encourage updates of those around us, but even that might take some time. There will still easily be weeks of January where "Verify your PayPal account for free Valentine's chocolates sent to your significant other" emails will be rampant.
I like the idea of more predictability to patches, but I don't think it's feasible for reasons like this. The only way to predict when a patch will be needed is to set a schedule for their issue, and then immediately after that all the security problems will be exploited that have been found. i.e. in January serious problems found in December will come out and we'll have hell from then in January. Come the patch for January, all the problems found in January will crawl out, and we'll have hell again.
This will continue, ad extremum nauseum.
Enough ranting, I'll propose a solution. Windows is shipped with an auto-update immediately feature for home users who wouldn't dream of making a configuration change. Then there is a monthly patch that rolls everything together, and Update can be set to use that instead for appropriate machines that are administrated appropriately with users aware of issues. Or perhaps security issues are patched immediately and the latest WMP functionality gets put in the same patch with all the driver updates, etc. that can seriously wait a couple of weeks instead of everyone having to reboot their machines an extra half dozen times a month. There - that's two ideas off the top of my head that I would take over our current state of affairs in a heartbeat.
Microsoft update eats Mozilla profile? (Score:2)
On three occasions, with two different users, I have observed that Netscape/Mozilla profiles have disappeared following Microsoft update. Just a concidence? Perhaps, but after the third occurrence I have become suspicious.
Because Microsoft update is an opaque process, there's no way I can even attempt to 'reproduce the problem' as I would normally do in similar circumstances.
So I'll ask
Re:Microsoft update eats Mozilla profile? (Score:3, Interesting)
One time I played with the application that let's you set your default browser and email package - the thing that Microsoft had to do because of the DOJ ruling. It completely screwed up Mozilla - it actually renamed files in the Mozilla directory, I kid you not. I couldn't believe it. I
Re:Microsoft update eats Mozilla profile? (Score:3, Interesting)
If indeed the tool is the culprit, it may be easier than I had originally thought to reproduce the problem, and hence build a case against Microsoft. At least a case against their software. Proving intent wou
Not that big of a deal (Score:2)
I can create a web page that opens a window with NO menu at the top, buttons, or address bar (pop-ups do this all the time). And then I can have that web page CONTAIN a substitute menu, buttons, and address bar. In that fake address bar, I can write "www.microsoft.com", just like the sample demonstration. Simple exploit. May fool some people. May get them to enter their credit card info.
Better yet... imagine this.... set up a whole www.ammazon.com (sic) site that looks l
Scares the pants off me... (Score:5, Insightful)
Now is the time to Push Mozilla and Firebird (Score:5, Insightful)
I find giving people the link (or installing it myself) to the Firebird installer [mozdev.org] and showing them how multiple homepages, pop-up blocking, and tabs work usually wows them.
I'd much rather field some tech support questions about Moz than deal with a frantic relative or friend telling me how all the money in their bank account was stolen by "internet theives."
Paypal et al should be pushing for more secure browsers on their site. I don't see how this could be a business conflict with MS. Paypal has a lot to gain by simply suggesting there are more secure browsers out there.
Chrome-free windows already allow this! (Score:2)
Similar IE bug (Score:5, Interesting)
Still.. (Score:3, Informative)
And no, this bug won't work on slashdot since slashdot removes the username parts of a URL, and also removes the DOS smileyface character from posts.
Exposed Cookies? (Score:4, Interesting)
I'm wondering if some shady types could use this exploit to get your cookies for any site of their choosing.. that just might be a slight problem
Results of dumbing down UI (Score:4, Insightful)
Just another example of a solution that solves a problem that doesn't exist and creates security holes.
Why is there an @ at all? (Score:3, Interesting)
Perhaps that would explain why such a silly feature exists at all. It seems to have no other purpose than for spoofing.
Re:Why is there an @ at all? (Score:4, Informative)
Basically, it allows you to specify a username and possibly a password as part of a URL. http://w:x@y.com says to connect to y.com with username w, password x. The URL http://w@x.com means to connect to x.com with username w. This is not in particularly common use for HTTP, but it can be useful for sites that use HTTP authentication.
Web servers ignore the username and password if you connect to a page that doesn't require authentication, so for most sites, everything before the @ is simply ignored.
So this really is part of a standard, and it exists for a good reason. It's not a redirection at all, but simply a part of the URL standard that isn't used often enough for people to know what it means. The whole spoofing this is a completely unintended consequence of that.
Perfect (Score:3, Interesting)
If an e-mail contains the characters "%01@" or "%00@" kill it.
I can't think of any reason why those strings of characters would legitimatly found in an e-mail.
This "exploit" has very very few practical applications that would actually fool anybody. No legitimate company sends out an e-mail asking to verify your information by clicking on a link. This doesn't change anything in that area. So instead of telling grandma not to click on links in e-mails that look "suspicious" how about telling her simply to not divulge any information to web-sites that ask for that information through an e-mail.
If PayPal needs to verify your information they ask AFTER you log in. They may send an e-mail saying they need you to log into your account to take care of something.
So for a real world example, if Grandma get's an e-mail from "PayPal" or her "bank" telling her that she needs to validate some information tell her to open her browser and go to her bank's web-site the old fashioned way of typing it in, to log into her account and then see if any notices are there.
If not, the e-mail is a fake. If a notice is there, do what the notice says on the site.
Simple lesson for grandma: Never click on a click from an e-mail to verify information. ALWAYS manually type in the URL for the company you're involved with asking for your information, log in, and THEN look for notices and do what they say. Grandma should already know not to give information to companies she has no knowledge about.
Anyone throwing up their hands about having to reteach grandma, didn't teach grandma properly in the first.
There's a very generic object lesson here that has zero to do trying to see if a URL is being sneaky that you should have taught her years ago when the first "click here to update your info" scams came through.
Ben
A way to block this exploit.... (Score:3, Interesting)
To nuke this exploit from links you follow on a website (it won't help if you follow it from an e-mail or paste it into the address box, but if you are duped by that, they you probably aren't reading slashdot) you can ad this rule to the proxomitron (or a similar one to Privoxy, and open source equivilent)
and it will do a nice job of blocking all of these links.
bad for the corporate user (Score:3, Interesting)
To: corporate user
From: corporate help desk
Subject: MANDATORY: Username and password verification
Last night, one of our authentication servers went down and we need to rebuild the our database. To make this process easier for us, please use the form below to verify your username and password.
http://our.corporate.intranet%01@www.malicious_
Thank you for your cooperation.
IT Help Desk
===
i can't believe that MS is just considering a patch for this. i would write to your corporate internet security officer and urge this person to take a look at this MS IE vulnerability and also to switch to Mozilla. this could be mozilla's chance.
Gotta love microsoft's response (Score:3, Insightful)
How many people are going to give their credit card/bank/paypal info to these sites thinking they are safe because they have norton antivirus or zone alarm running. They are basically telling people not to worry when this is a huge security flaw - the only way to be safe is to type the URL in instead of following links.
The one piece of good news in this is . . . (Score:3, Informative)
Patch Just Released! (Score:4, Funny)
www.microsoft.com/ie/download%01@ftp.mozilla.or
Re:Crap like this..... (Score:2, Funny)
That's pretty elite - can you post your config files on how to do that?
Re:Crap like this..... (Score:2)
Re:Not just an IE bug... (Score:3, Informative)
http://www.microsoft.com@zapthedingbat.com/secu
Re:Not just an IE bug... (Score:2)
Come on ... (Score:5, Insightful)
Do you really believe that the same stupid coding error would appear in three different implementations by three different organisations? It's not a flaw in the HTTP protocol's GET request method, it's a flaw in Microsoft's URL handler.
zRe:This affects mozilla firebird too (Score:4, Interesting)
Yes, I know you're a troll. But I figured anybody who might be fooled by your outstanding writing should be able to click on a link and test their own browsers.
Also, I should note that Opera actually gave me a pop-up warning that I was sending a username to the site - the username www.microsoft.com - and after I agreed to do that I got a page with the correct url. Has anybody else tested this on other browsers?
Re:Why is it slashdot never reports...... (Score:4, Insightful)
As for this particular problem, as always Bashdork makes it seem like the end of the world, front and center. Check the other responses on this article - Mozilla is also vulnerable. I'm running Mozilla 1.6a (2003110515) and I see the "http://www.microsoft.com/" URL on the Secunia spoof page [secunia.com]. This kind of puts it in perspective, eh?
Mozilla is an excellent browser, that's for sure. But it is what it is because IE4 raised the bar so high (compared to NSN) that there was really nowhere to go. I personally use both, and I'm glad that Mozilla is (finally) giving IE a run for its money. But to go from embarrassed silence to this... well, as so many other areas where open source had to play catch up, the FUD tends to convey the idea that Microsoft has always produced non-functional "crap" and everyone else has been running circles around them forever.
Very funny. Oh, and the "economy cereal" thing? Brilliant. I've heard the same thing said about Mozilla (albeit with a different angle), with its 40-second load times and cluncky one-size-fits-all non standard GUI. Not that I'd agree though. But hey, don't let that put a dent in your superb flaming skillz.
And let's see how long it takes for the Mozilla folks to patch this one. And of course, for all those people running older builds to actually download and install.