Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Internet Explorer The Internet Bug Security IT

New Spoofing Vulnerability in IE 372

Jimmy M. writes "A new vulnerability has been announced in Internet Explorer, also affecting XP SP2, which can very easily be exploited by a malicious web site to completely spoof the address bar. The vulnerability is very similar to another vulnerability disclosed just about a year ago called the '%00' vulnerability, which also was widely exploited by phishers. A demonstration is also available."
This discussion has been archived. No new comments can be posted.

New Spoofing Vulnerability in IE

Comments Filter:
  • by Anonymous Coward on Thursday December 16, 2004 @07:58PM (#11111418)
    Get it here [getfirefox.com]
  • by Eyah....TIMMY ( 642050 ) * on Thursday December 16, 2004 @07:59PM (#11111424)
    Using the latest version of Avant Browser [avantbrowser.com], on a fully patched XP SP2 system. It seems obvious since Avant is based on IE but I thought it would be useful to know.
    • by zarniwoop102939 ( 596809 ) on Thursday December 16, 2004 @08:46PM (#11111863)
      As suggested in the article, you can block the vulnerability in Avant by disabling ActiveX (Tools | Disable ActiveX). This is how I browse with Avant by default, along with:

      - Block Flash
      - Block Popups
      - Block Ads
      - Disable Sounds
      - Disable Videos
      - Disable Java Applets

      Makes pages load very fast, and if I need one of those functions for the page I'm on, I just toggle it on for the session.

      Between these security features and still having the compatibility of IE, that's why I love Avant so much. Yes I used Firefox for 2 weeks, and went back to Avant.
  • by Anonymous Coward on Thursday December 16, 2004 @08:00PM (#11111431)
    Everytime there's a major Firefox event, a release or New York Times ad, they chip it by having another IE vulnerability to raise awareness of Firefox. Thanks Microsoft!
    • Yes, and outside of nerdville, who gives a shit about Firefox? What OSS has to do is release ads to TELL people how bad IE is, not how good Mozilla is alongside. SCARE people into realizing that their entire way of life is AT RISK if they continue to use IE.

      • by Anonymous Coward on Thursday December 16, 2004 @08:08PM (#11111531)
        What OSS has to do is release ads to TELL people how bad IE is

        never mention your competitor in advertising
        no such thing as bad publicity, people tend to forget the details but "brand reinforcement" still applies, if you have to mention your competitor then it implies your product wont/cant stand up on its own merits = you have LOST

        just an anon advertising exec
        • by shawb ( 16347 ) on Thursday December 16, 2004 @08:22PM (#11111657)
          Woah. So that's the reason for the phrase "... than the leading brand." as in "20% more cotton than the leading brand" or whatever. I just assumed that it was to prevent litigation.

          Then again, I suppose the phrase could be used for both reasons.
          • by SoSueMe ( 263478 ) on Thursday December 16, 2004 @08:34PM (#11111767)
            There's a philosophy in politics that goes like this: "It doesn't matter what they're saying about you, as long as they're talking about you. When they stop talking about you, you are dead".
          • by Michalson ( 638911 ) on Thursday December 16, 2004 @09:00PM (#11111956)
            Comparing your product to a specific competitor in a commercial suggests to the viewer that you are either neck and neck or more frequently that you're in the #2 position. If you are the actual market leader, or you want to be the leader, you *don't* want to send that kind of message.
            Negatively advertising about your competitor (talking about why their product is bad, rather then why yours is good) is bad no matter what position in the market you're in. Instead of saying you're the underdog but people should try you out, you're saying your competitor is bad, so you're all that's left. People aren't interested in leftovers and those winning by default. If Firefox wants to successfully advertise, it should be talking about "faster browsing" without actually mentioning what it is being compared to, let alone naming Microsoft or IE.

            And that boys and girls is why the basement dwelling me too fanatics who crowd around OSS are doing far more harm to OSS adoption then good. No business is going to suddenly switch to open source as long as "OMG M$ IS TEH SUX0RS!!!!!!!" is the message crowding out any intelligent and level headed promotion of true technical and cost superiority.
            • So we should be saying "OMG LINUX IS 578% MORE 1337 THAN TEH LEADING MONOPOLY!!!!" ?
              • by Michalson ( 638911 ) on Thursday December 16, 2004 @09:25PM (#11112132)
                Good start. The main issues are that "1337", and "monopoly" may be confusing to your average consumer (they'll have no idea what "1337" is, and will be confused about why you are comparing your product to a board game)

                A fundemental rule of marketing is that your commercials should be understandable by your entire demographic (sometimes ad campaigns will use "inside jokes" if the demographic they are targeting is tight enough, but it's still risky). By using special words or concepts only known or believed by a small number of people will mean you risk (or nearly guarantee) having your commercial coming across to your audiance like The Architect from The Matrix trying to sell them car insurance - ..concordantly the 5% saved through a 2 driver plan inexorably causes a diminution of the overall non-fault accident premiums. Ergo those signing up before January 1st will...
        • IANA Ad Exec, but my observation has been that this only applies if you are in (or near) first place, especially in a two-horse race. For example, Coke will never mention Pepsi, but Pepsi often mentions Coke in their ads because they have nothing to lose. Likewise, George Bush would only refer to John Kerry as "my opponent" during the campaign, even when they were standing face to face in the debates. I kept wishing Kerry would hit back with some wise-ass remark like "I know you don't read the news, but you
        • Never mention your competitor? I don't think competitor is quite the word here. IE vs. Firefox is not really a competition either. The reason Coke sells better than Pepsi is because people have tried both, and they think "I like Coke better." The reason 90% or so (the vast majority) of poeple use Internet Explorer isn't because they think "I tried both and weighing the featurs of each, I choose IE."

          It's much more of a matter of people (A) not hearing about Firefox, and (B) not using it because they d
          • A) IE is very recognized. I don't think there is anyone that uses the internet that doesn't know what it is.

            Laura Ingraham recently changed her website. The day she changed it, she had people calling in telling her whether they were being directed to her old site or her new site, and was asking what browser and ISP they were using. You would be amazed (or maybe you wouldn't) at how many people just responded with something like 'my internet' or 'AOL' for their browser. Her little sidekick dude kept tel

        • never mention your competitor in advertising
          no such thing as bad publicity, people tend to forget the details but "brand reinforcement" still applies, if you have to mention your competitor then it implies your product wont/cant stand up on its own merits = you have LOST


          So.... does this mean that Microsoft has already lost when they mention 'get the facts'??? [microsoft.com]
        • That's a fine principal when you're selling soda or cleaning products, but many of the people you're trying to reach don't even know what a "web browser" is.

          There are tons of people who "click on the 'e'" or "go into the Internet" or "use the Internet Explorer to get to Google"

          These people don't even realize that "web browser" is a product they use, made by multiple companies. If you're lucky, they remember Netscape. If they read "Firefox 1.0!" in a newspaper, they skim past it just like they skim past "B
      • SCARE people into realizing that their entire way of life is AT RISK if they continue to use IE. [Emphasis mine.]

        Get a grip. The internet is only the entire way of life for slashdotters and other nerds. "Outside of nerdville," most people will continue to be quite able to play softball, mow the lawn, and tell stories to their kids even without IE. Even I shall survive. Even thou mightest.
        • by Mr. No Skills ( 591753 ) <lskywalker AT hotmail DOT com> on Thursday December 16, 2004 @08:26PM (#11111699) Journal
          While that may be true, your message is posted right smack dap in the middle of Nerdville -- it's central park, so to speak. You're a Republican who's walked into the middle of the Democratic convention and yelled at them to get a grip.

          Of course we'll survive. It's just the internet. But, many of us are software professionals. We care so much about this we decided to make a career of this. We care so much about this we're willing to give away our ideas as open source projects, just to share them with the world. Forgive us if we care passionately about this, and think that basic things like browsers should not have security hole after security hole till we wonder if it will ever stop.

          And, it's not even too much of a stretch. Enough people get screwed with identity theft, and the trust of the system falls apart and it ceases to be a method that many of us earn a living with. If one of the largest companies in the world can't even fix their browser, with all the resources of an almost monopoly on the market and stock options to hire every CS post graduate student on the planet -- a technology that went through its basic definition years ago -- it puts into question the entire value of software professionals.
          • by Fortran IV ( 737299 ) on Thursday December 16, 2004 @09:11PM (#11112031) Journal
            And of course you are quite correct--it's a matter of proportion, not of fact. I've spent a great deal of time myself ranting about Microsoft and the harm they continue to do to the industry in general. My nickname is not idly chosen; it's the language I first programmed professionally in. But even I, a former "computer professional," have been too lazy to try Firefox yet, and am just bumbling along in IE. (Although security headaches at work are probably going to force the necessary trials on me soon.)

            But I can't name any other profession in which it is possible to profitably release product after product while being completely incompetent to produce. [Ignore management; it's not their job to produce.] You don't have to be a good programmer to succeed; you only have to look good. I was taught programming by a college professor who believed--seriously believed--that having five consecutive GOTO statements was a valid result of "structured programming"! I've seen countless examples (as have most people here) of bad programming. I decided years ago that anybody who actually trusts a computer is insane. I rely on computer records; I have no choice unless I want to live in a hovel in the woods and keep all my money in a mason jar. But I don't trust them, and I never will; I've known too doggone many programmers.

            Just yesterday I had a lengthy discussion with my boss (the company owner) about why IE (and Windows in general) is so weak. With all the resources of an almost monopoly on the market, you said--that is exactly the problem. Microsoft has little motivation to do more than keep hot-patching the holes in IE and Windows instead of tearing up the whole street and laying a solid foundation. In the 1960's and 1970's, IBM stayed on top of the mainframe market despite having one of the worst OS's around, because they had the most ruthlessly effective body of marketeers anybody'd ever seen; only the virtual disappearance of the mainframe market took IBM from the top. As long as Microsoft's marketeering position stays strong, MS software will stay weak.

            Quality is good. Many people will pay for quality when they can find it; people are downright amazed when they can get quality for free. But the majority of available products are going to remain Wal-Mart quality, because the vast majority of people are still going to get whatever is on the shelf at Wal-Mart.

            And their world won't end. But its shine may tarnish a lot more easily.
      • by TheDarkener ( 198348 ) on Thursday December 16, 2004 @08:11PM (#11111559) Homepage
        Yes, and outside of nerdville, who gives a shit about Firefox?

        Just about everyone I install Firefox for (almost all non-geeks)... People who don't give a shit just plain don't know about it. Firefox is faster, it has a nicer interface, and prevents things like popups and bad security practice within the browser environment. The people that start using Firefox by force (by me) usually thank me profusely and rave to me (and their other non-geek friends) about it within 30 minutes of using it.

        Plus, just look at the themes!! Who doesn't like themes??
        • "People who don't give a shit just plain don't know about it." I recently told a guy who is responsible for IT at a public school about Firefox. He had not heard of it.
          • A college tutor who has been telling us for the last three weeks to "keep up with the industry, read magazines and web sites!" etc hadn't heard of Mozilla Firefox when I mentioned it (was a lesson on security and I said that I would recommend using an alternative to IE such as firefox).

            The funny thing was that on the next powerpoint slide she brought up was an example of email spoofing, and the example was showing an email coming from webmaster@mozilla.com.
      • by ticklemeozmo ( 595926 ) <justin,j,novack&acm,org> on Thursday December 16, 2004 @08:12PM (#11111577) Homepage Journal
        What OSS has to do is release ads to TELL people how bad IE is, not how good Mozilla is alongside. SCARE people into realizing that their entire way of life is AT RISK if they continue to use IE.

        Or maybe a simple 5 color-coded chart!

        RED - Browsing with IE
        ORANGE - something witty
        YELLOW - something wittier
        GREEN - Browsing with Firefox
        BLUE - Unplugging your network cable

        Firefox(tm). The next safest thing to unplugging your network connection.
      • Actually, us nerds are moving everyone we know to Firefox, except for the few weirdos who like Avant and Opera ;)
      • I've had a good portion of my Windoze using friends and neighbors come up to me and ask if I have Firefox. Previously, these same people would glaze over when I attempted to explain why using IE wasn't a good idea. But now they feel "in the know", and are going around sharing their newfound knowledge with anyone who didn't see the ad. Far be it from me to rain on their parade :-)
  • Safari (Score:2, Informative)

    by sys49152 ( 100346 )
    Just tried it with Safari. Clicking the demo link does absolutely nothing. Turning off pop-up blocking and clicking the link does ... absolutely nothing.

    Next.
    • Re:Safari (Score:3, Informative)

      Tried it all in Konqurer, and no problems at all. I hate hackers but maybe these problems will finally start driving people towards alternative browsers. My website currently gets 85% windows users and only 65% IE users. So that's a good start away from IE.
    • Probably giving a similar error as what I get in Konqi :)

      Error: node : TypeError: Undefined value
    • Exploder on the mac also does nothing when clicked. It seems to be using a javascript that is being ignored when clicked. You can copy it to clipboard though, and all you get is something like "javascriptstart()" for a link.
    • Re:Safari (Score:3, Funny)

      by 12ahead ( 586157 )
      I just tried it with a potatoe peel. Nothing. ;) As it said.. IE. Secunia does test these things on other browsers and as they have shown in the past they are likely to come up with cross-browser exploits in the future.
  • infinite popups (Score:4, Informative)

    by yali ( 209015 ) on Thursday December 16, 2004 @08:03PM (#11111469)
    On my computer, the exploit demo seemed to be trying to launch popups, which Google toolbar stopped, which apparently made the demo site want to throw up another popup, which Google toolbar stopped, etc. It looped up to 110 popup attempts before I managed to shut down that IE window.

    Not the advertised exploit, but pretty damn annoying in its own right.

  • Geez... (Score:3, Interesting)

    by TheDarkener ( 198348 ) on Thursday December 16, 2004 @08:04PM (#11111473) Homepage
    To me, whenever I see a vulnerability article for IE on Slashdot, I say to myself "Man...why does that seem like it's such a trivial programming error to fix?" as opposed to when there's a vulneraibility to Firefox/all browsers, when it's something like "Wow, someone really took some time to craft that one out"...just a thought.
  • Next, we'll be reading about studies showing that two hydrogen atoms and one oxygen atom form a clear, wet substance.
  • I have the latest version of Spoofstick (1.02 released 8/18/2004) and PivX Qwik-Fix Pro (v1.4) and the vulnerability tests positive in my up-to-date IE: a new window appears with both IE and Spoofstick reporting the site as citibank.com
    • Spoofstick simply removes any tricky usernames/passwords or subdomains that would trick some users. So, ebay.phishing.com is shown as phishing.com, and ebay.ca/login.php@newb.com is shown as newb.com. Spoofstick can not handle an exploit like this since the address bar would actually show citibank.com, without anything extra.
  • How long until... (Score:5, Insightful)

    by dew4au ( 804562 ) on Thursday December 16, 2004 @08:07PM (#11111517) Journal
    ...people start banging on Firefox hard enough to expose vulnerabilities?

    Or, is Mozilla just that good at plugging leaks before they happen?
    • by lewiz ( 33370 ) <purple@@@lewiz...net> on Thursday December 16, 2004 @08:27PM (#11111711) Homepage
      Somehow the poster of the parent has been modded down for Trolling, regardless of the fact that it is a valid point, within the context of the article, and definitely not a troll.

      I frequently wonder what will happen as people start to shift more focus onto the software we so highly regard. Hands down Firefox is a more usable browser but I don't think it yet has the sort of attention that Internet Explorer does. Until such a time we will never truly know just how resilient Firefox is.
      • The difference between Open Source and MS is that inside MS, coders who are technically employed to work on a specific part of the MS empire cannot easily supply fixes and code for inclusion inside IE. That is down to the IE team to fix. Its just the same at work, we are told to remain focused on our own tasks, no matter if colleagues on other projects are floundering.

        Once exploits start coming out for Firefox (as most reasonable people expect them to) those many eyes from around the OSS community (some
    • Re:How long until... (Score:3, Informative)

      by fireduck ( 197000 )
      it's already happened. see the firefox page. [secunia.com]
    • by EngMedic ( 604629 )
      This has been knocked around here for quite a while, and every time, somebody points out what i'm about to.

      It's probably safe to say that firefox is simply a better written browser, but another aspect of the issue is the question of system incorporation. Bugs on IE are critical because not only can they do the normal spoof/phish/etc, they can also worm their way into the guts of windows. Bugs on Firefox can't, simply because firefox isn't integrated as tightly into the operating system as a whole -- and
    • Re:How long until... (Score:3, Interesting)

      by Frogbert ( 589961 )
      The main benefit is that Mozilla is good at plugging leaks after they happen. That is an important destinction. Microsoft can sit on their hands for months before a serious bug is fixed. Mozilla users are treated to a security fix days, possibly hours after.
    • by roca ( 43122 )
      They are banging away. There is a bug bounty program, remember. And since everyone says Firefox is a more secure browser, isn't it cooler to take down FF than IE?
  • Wine Help (Score:5, Funny)

    by anagama ( 611277 ) <obamaisaneocon@nothingchanged.org> on Thursday December 16, 2004 @08:09PM (#11111535) Homepage
    I really want to try this but I have such problems getting stuff to run in wine.
  • by Anonymous Coward on Thursday December 16, 2004 @08:10PM (#11111547)
    With Internet Explorer for the Mac hovering above the link makes the status bar say "javascript:start();", but clicking on it does absolutely nothing. Exact same result with Safari.
  • OK. I use Mozilla anyway, so I shouldn't care about this particular bug. But the last couple mentioned here on /. that affected Mozilla, used Javascript to transfer data entered from one window to another. There's been a few of these, so I disabled Javascript and turn it on only when needed. Is this such a hard workaround? If you like IE, and you need ActiveX, can you just leave it off until a webpage needs it? There's going to be hundreds of these exploits popping up -- no one can fix them all.
  • what!? (Score:3, Interesting)

    by Turn-X Alphonse ( 789240 ) on Thursday December 16, 2004 @08:12PM (#11111568) Journal
    You mean people STILL use IE, once they've been to Slashdot? Doesn't seem to really relate to us any more..
    • I can't remember how long ago but I think it was CowBoyNeal that was quoted and said that 85% of people that read slashdot are using IE. I'm not sure about that though and hopefully someone can clear that up.
    • Re:what!? (Score:2, Interesting)

      by LGagnon ( 762015 )
      You mean people STILL use IE, once they've been to Slashdot?

      Apparently, [slashdot.org] they still do.
  • Disable ActiveX (Score:5, Insightful)

    by OverlordQ ( 264228 ) on Thursday December 16, 2004 @08:14PM (#11111590) Journal
    Disable ActiveX and this wont work. This exploit depends on ActiveX to run.
  • I'm in SP1 and opened the link in IE, doesnt do anything, just shows the javascript error icon.

    At least the announcment was timed well. [slashdot.org]
  • Master Plan (Score:2, Insightful)

    by BossMC ( 696762 )
    I see what's going on here. Microsoft put so many exploits into IE that eventually the black hats will be overwhelmed with possibilities, to the point of quitting. It's like the vulnerability-options DDoS.
  • Changing from IE (Score:2, Interesting)

    by EyelessFade ( 618151 )
    Here we have one that broke up with IE. Fun story ;)
    http://reviews.cnet.com/4520-3513_7-5570803-1.html ?tag=nl.e497/ [cnet.com]
  • NYT Ad (Score:3, Insightful)

    by Adrilla ( 830520 ) on Thursday December 16, 2004 @08:20PM (#11111643) Homepage
    In the NYT ad, they should've added every IE bug that's been discovered since Firefox was released. I mean they are probably the biggest contributors to FF's popularity.
  • Maturity (Score:3, Insightful)

    by confusion ( 14388 ) on Thursday December 16, 2004 @08:24PM (#11111680) Homepage
    I realize IE is probably a huge codebase and a big development team, but it is simply amazing that these problems keep popping up. A company with the size and resources of MS should have a much better handle on these things.

    Where I work, we have code reviews, automated code scrubbers, and extensize QA, and we're a relatively small shop compared to them.

    I know they're trying, otherwise it would be a lot worse, and SP2 did a good bit to improve things, so I can't be that hard on them.

    Jerry
    http://www.syslog.org/ [syslog.org]

  • Microsoft bashing (Score:2, Interesting)

    by linders ( 822835 )
    Microsoft bashing is always fun, but I really just want to be able to use any browser, on any OS. This why I hope Firefox takes off
  • by Twintop ( 579924 ) <david@twintop-tahoe.com> on Thursday December 16, 2004 @08:28PM (#11111720) Homepage Journal
    I wonder if this exploit is also in Outlook and/or Outlook Express? If so, it'd be very easy for someone to send out spam with what looks like 100% legit, right down to what URL is displayed in the link when hovered and the address bar URL once opened, thanks to this exploit.
  • by djdavetrouble ( 442175 ) on Thursday December 16, 2004 @08:31PM (#11111738) Homepage
    (with pointed finger) Ha-Ha
  • by PeterHammer ( 612517 ) on Thursday December 16, 2004 @08:58PM (#11111944)

    Maybe it's just me, but I would love to see what IE's source code must look like at this point with all the patching it has gone through over the years.

    Even more amazing perhaps are the facts that:

    • 90% of the planet still uses it
    • It is still the only way to get critical updates for about 50% of windows users out there
    • Other than (duh!) security bugs, it pretty much still works without a hitch

    Most certainly the best built house of cards on the planet!

  • by allanc ( 25681 ) on Thursday December 16, 2004 @09:05PM (#11111988) Homepage
    ...if they just posted news announcing days when vulerabilities aren't found in IE.

    --AC
  • by metalpet ( 557056 ) on Thursday December 16, 2004 @09:05PM (#11111991) Journal
    This doesn't have much in common with the %00 bug, which was essentially a visual bug, vaguely useful to convince that small percentage of people that verifies the URL of the site they're in instead of going by the look&feel of the page.

    This bug however allows to break cross-domain scripting boundaries.
    A practical example is that an attacker could craft a web page so that when a slashdotter visits it, it automatically submits a silly comment in reply to a particular post (yes, in spite of the hidden formkey field.)
    Worse things could be done, like automatically grabbing the last 10 emails from your hotmail account if you happened to be logged in, send random replies to them, etc...
    Use your imagination.

    Describing this as a way to "completely spoof the address bar" misses the impact of this bug entirely.

    All in all, a pretty cool exploit. I can't help but wonder if the double use of ExecScript and setTimeout is really necessary, but maybe that's an attempt to make it work accross more environments.
  • by rice_burners_suck ( 243660 ) on Friday December 17, 2004 @12:10AM (#11113176)
    Let's put one of these chain emails to good use:

    Bill Gates died and went to heaven. As he stood in front of St.Peter at the Pearly Gates, he saw a huge wall of clocks behind him. He asked, "What are all those clocks?"

    St. Peter answered, "Those are Software Vulnerability Clocks. Every computer program on Earth has a Software Vulnerability Clock. Every time a program is compromised due to a bug in the code, the hands on that program's clock will move.

    "Oh," said Bill, "which clock is that?"

    "That's the UNICOS clock. The hands have never moved, indicating that it was never compromised by an attacker."

    "Incredible," said Bill. "And which clock is that one?"

    St. Peter responded, "That's the OpenBSD clock. The hands have moved twice, telling us that the "Only one remote hole in the default install, in more than 8 years!" was compromised only two times in this operating system's life."

    "Where's Internet Explorer's clock?" asked Bill.

    "That's in Jesus' office. He's using it to drive the generators, which provide power for our celestial copy of Las Vegas."

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...