Internet Explorer URL Spoofing Vulnerability

Secuina ^ | 12/09/03 | Zap The Dingbat

[Salo]

Internet Explorer URL Spoofing Vulnerability

Secunia Advisory: SA10395 Release Date: 2003-12-09 Last Update: 2003-12-11

Critical: Moderately critical Impact: ID Spoofing

Where: From remote

Software: Microsoft Internet Explorer 6

Description: A vulnerability has been identified in Internet Explorer, which can be exploited by malicious people to display a fake URL in the address and status bars.

The vulnerability is caused due to an input validation error, which can be exploited by including the "%01" and "%00" URL encoded representations after the username and right before the "@" character in an URL.

Successful exploitation allows a malicious person to display an arbitrary FQDN (Fully Qualified Domain Name) in the address and status bars, which is different from the actual location of the page.

This can be exploited to trick users into divulging sensitive information or download and execute malware on their systems, because they trust the faked domain in the two bars.

Example displaying only "http://www.trusted_site.com" in the two bars when the real domain is "malicious_site.com": http://www.trusted_site.com%01%00@malicious_site.com/malicious.html

A test is available at: http://www.secunia.com/internet_explorer_address_bar_spoofing_test/

The vulnerability has been confirmed in version 6.0. However, prior versions may also be affected.

Solution: Filter malicious characters and character sequences in a proxy server or firewall with URL filtering capabilities.

Don't follow links from untrusted sources.

Reported by / credits: Originally discovered by: Zap The Dingbat

Status bar variant reported by: Chris Hall

Changelog: 2003-12-11: Linked to test. Added information regarding variant, which makes it possible to spoof URL in the status bar as well.

[Salo]

This one's a Doozy. Be very careful, Freepers.

[Salo]

Technical Ping.

[Salo]

The Mac version of IE is not affected. For Windows, the Mozilla variants are ok.

[EdReform]

BTTT

[AppyPappy]

http://www.uva.edu Cool!!

[flashbunny]

hmmm - may have to go back to netscrape.

[Malsua]

Yup, this is a big one.

Expect vast volumes of porn links to be disguised in this manner very soon.

[Salo]

Porn links are merely offensive. Think of a fake MS Patching site, or fake financial institutions. You could wreak havok with trojans or could steal identities with ease - and the redirect is trivial.

And did I mention no patch in Dec?

[Salo]

You're evil. I like it! :-)

[Malsua]

>>Porn links are merely offensive. Think of a fake MS Patching site, or fake financial institutions. You could wreak havok with trojans or could steal identities with ease - and the redirect is trivial. <<

Agreed, except there will certainly be porn links which disquised will lead to sites where malicious scripts can run. The financial and banking bits are indeed disturbing.

Like.. "click here to go to paypal" And it takes you to a paypal login page at Paypal.com but it's not paypal. It's scumbag.com.

Glad i'm doing most of my browsing in firebird these days.

[Malsua]

pretty easy too...now as to how they did that FQDN change...must be some additional scripting required.

Welcome to Cornell University!

[sd-joe]

Has anybody validated that this is true?

[smith288]

Awesome! http://www.dnc.org <-- Visit the DNC platform!

[smith288]

Has anybody validated that this is true?

I dont know...go here for more info http://www.mcAfee.com

[AppyPappy]

Look at the replies here. We are doing it.

[smith288]

OOOPS!

Awesome! http://www.dnc.org <-- Visit the DNC platform!

[4CJ]

Use Opera - not affected.

[antiRepublicrat]

And to think this was the month in which Microsoft said it wouldn't be releasing any patches. They just accidentally released one for an older bug, and now they're going to have to release one for this.

It's really sad that it's big news when Microsoft says it's going to go just one month without having to patch their OS, but then they have to anyway.

Luckily my main browser is Mozilla even when I'm on Windows.

[Never_take_me_seriously]

Of the browsers I have on my system:

IE 4 failed
Netscape 4.7 passed
Netscape 7.01 passed

(I only use IE to check cross-browser compatibility in my HTML.)

[Salo]

Alas, that puts you in a very small minority. What % does IE have? Like in the 80s or something? I use it here at work, but at home I use Safari.

[MikeJ]

This is a severe problem.

One exploit I can imagine right now is if a hacker gains access to a popular, legitimate site, adds a spoofed advertisement for 25% off at Amazon, then applies this technique to redirect traffic to a page where he collects passwords and CC numbers.

I'll assume that this bug also impacts Outlook and Outlook Express.

[Salo]

Haven't seen any references to anything other than explorer having the problem, but with MS's product integration, nothing would surprise me.

[smith288]

I wonder if a spyware remover app that detects popups and spyware ads can detect this type of URL and correct it?

Maybe I should go out and make a app and make money off this flaw! Im thinking IE toolbar...

[Imal]

For whatever reason, this article was the last straw for me, coming on the tail of increasing alarm over MS's sloppy coding (admittedly, a signature trait of MS code).

I'm just tired of worrying about it, and IE does not offer enough value to justify the risks. This is only one of hundreds of known IE exploits, and probably hundreds more unknown exploits to come. I'm done.

I just switched to Mozilla Firebird 0.7. It was insanely easy, and I already like it better.

I do not expect to return to Internet Explorer. Ever.

Thanks for helping me to make a decision I should have made long, long ago.

[antiRepublicrat]

I just switched to Mozilla Firebird 0.7. It was insanely easy, and I already like it better.

Trust me, you'll be happy. I was on Mosaic and then Netscape 2-4 in the early days of the web, then I moved to IE when Netscape fell behind in being able to render any but the simplest web pages. But when Mozilla hit 1.0, I switched and am still quite happy. It sucks to have to use IE at work. I want my tabs!

[Bush2000]

I'm just tired of worrying about it...

I hate to be the one to tell you but ... the same issue was already reported in Mozilla: http://bugzilla.mozilla.org/show_bug.cgi?id=182176

And you're smoking crack if you think Mozilla is going to eliminate security exploits.

[zeugma]

If you're new to Mozilla, you'll really like tabbed browsing. I can't live without it.

This is also a bump for all those poor folks still stuck in the dark ages with IE.

[Rosencrantz]

Oh, too fun!

http://www.nastydirtybeeatch.com

[scott7278]

I noticed that when you right click the legitimate links on this site, then click "properties," the legitimate links are listed in this way: ORG/File.

However, the spoofed links are listed as ORGIFile. The false link does not have the / behind the address, but the solid black vertical line.

[CollegeRepublican]

Now that was funny. I closed my office door, just in case. Hehehe.

[Imal]

And you're smoking crack if you think Mozilla is going to eliminate security exploits.

Fortunately, I gave up crack this morning.

My lack of confidence in Microsoft and Internet Explorer is not some implicit claim that Mozilla is either 100% secure or bug-free, and you're smoking crack if you think it is.

I am, however, finding the open-source bazaar an increasingly more desirable place to get my software than the Microsoft cathedral as time goes by.

This one issue is just one of a long series of exploits that has had me considering alternatives for months. After fighting pop-ups (with 3rd-party apps, wth?), Active-X and its nightmarish influences on my browser and its security -- done in the name of supporting haxors and annoying ads -- I'm done fighting Internet Explorer. The software is simply not designed with my best interests in mind

Is this particular exploit the best reason to leave IE? No, definitely not. It's just the last reason, for me.

This is not a religious decision, it is a pragmatic one. The bottom line is results. The rest is just useless noise.

The dates given in the link you provided are both interesting and instructive, as well as the fact that we can look at them and the comments of the contributors. All in all, a convincing case.

Thanks for the information.

[Havoc]

On Redhat using mozilla. Mo bedda

[Bogey78O]

DemocraticUnderground.com

[Malsua]

>>On Redhat using mozilla. Mo bedda<<

I use Mozilla Firebird quite a bit. I still have to use IE for .net passport though.

Firebird is definately a better browser and with all the extentions, like dictionary lookup, and image zoom etc, it rocks.

[singsong]

I hate to be the one to tell you but ... the same issue was already reported in Mozilla:
Well, I have to tell you that it is not the same. Mozilla shows the line exactly as it is written - with all the giberish. One can never mistake it for the real thing. IE hides the redirection and you are completely oblivious to the fact that you are on a different site. Check it yourself. I did.

And you're smoking crack
Nah, between the three of us, it's not him, not me.

[TechJunkYard]

the same issue was already reported in Mozilla...

Same issue? The Moz deal involved disguising ".." to fool the catch logic. It ain't the same issue.

Unless, of course, you're a Microsoft troll.

[FLAMING DEATH]

I have been using Firebird for a while, but just recently downloaded 0.7. Since then, I've been adding extensions like a crazy person. It's amazing all the things it can do.

Adblock prevents it from downloading annoying banner ads that occur on pages, and speeds up loading time.

"Reload Every 0.1" automatically refreshes my "Latest Posts" page every five minutes, whether I visit it or not.

"Copy Image" lets you copy images directly to the clipboard without first saving them on your hard drive. You can use the image in a paint program without having it taking up space on your computer.

"Image Zoomer" lets you zoom in our out on an image right inside your browser.

Now, when I use IE, it just feels clunky and awkward. The best part is, I can stick Firebird on my jump drive and run it from there. So, when I go elsewhere, I don't have to be stuck with IE...just pop in the jump drive, and I'm off and running.

I think if most people used Firebird for a week, they'd never want to go back to IE. I just use IE for the very occasional page that won't work with Mozilla. I don't think I've used it in well over three months now.

[Imal]

Adblock, in particular, is golden in my sight.

[Bush2000]

Same issue? The Moz deal involved disguising ".." to fool the catch logic. It ain't the same issue

What's with you -- you need someone to hold your hand and walk you through the logic? Both attacks deal with fundamental flaws in the way that URLs get parsed. The IE attack shows the improperly-parsed URL in the status bar. The Mozilla attack allows somebody to construct a URL that will give access to a local file. But the basic bug is URL parsing.

[Imal]

"All in all, a convincing case."

It occurred to me while following up on the thread that I had neglected to describe the details of the "convincing case" while concentrating on the larger issue of why I left IE, so I thought it might make sense to elaborate on what I meant.

As others have pointed out, the link Bush2000 provided did not identify this particular exploit, but it did address a similar concern. An important point, but moot in the details, since the broader question is whether Mozilla is more secure than Internet Explorer. So I won't quibble over potential ".." versus "@" exploits.

As best I can tell, Mozilla is not vulnerable to the exploit identified by this article. The address field always contains the true current URL of the page I am viewing, and the status bar displays a subscripted "uppercase gamma" symbol next to these test URLs, apparently to indicate a redirect.

But what were the elements of the "convincing case"?

1. The issue was identified over a year ago.

2. The issue was promptly addressed by several people.

3. There was, in fact, no actual exploit, but the possibility of an exploit was taken seriously, and preventative steps considered.

4. All of this was available for me to review and evaluate as a user of the software.

In other words, the "convincing case" I was referring to was that I had made the right choice in switching to Mozilla. The link Bush2000 provided was reassuring, not worrying.

[Bush2000]

Mozilla is essentially a black hole. Practically nobody is using it. Hence, nobody cares about attacking. That doesn't mean that it can't be exploited -- or that it has any fewer bugs than IE, though.

[Imal]

I used to think the same thing, which is one of the reasons I stuck with IE for so long. I'm glad I changed my mind.

While the details are debatable, of course, the gating factor for me is suitability to my needs. My loyalty extends only so far as a product satisfies my requirements as a user.

Thus decision made, good bye IE. At least, until such time as it may prove safer and more appropriate for my use sometime in the future.

[TechJunkYard]

Ah, but your purpose in posting it was to deflect attention from the IE bug and spread unwarranted FUD about Mozilla... I've seen you do stuff like this before. You should have kept yer big mouth shut.

And now, to excuse yourself, you argue that "same" ^= "same". How clintonian can you get?

[rdb3]

University of Michigan

[TechJunkYard]

Keep trying, Howie. You lose credibility every time you get caught.

[Bush2000]

Ah, but your purpose in posting it was to deflect attention from the IE bug and spread unwarranted FUD about Mozilla...

No, Forrest. My purpose was to show that essentially the same bugs exist in both browsers. You're doing everything you can to pretend, because the outward manifestation of the bug (ie. the display of the incorrectly-parsed URL in the status bar) is different, that the underlying bug is somehow different. Wrong.

URL parsing bug = URL parsing bug

All software is crap. The sooner you stop clinging to your bitter illusions that Mozilla or Linux or fill-in-the-blank-with-your-own-wet-dream is better, the sooner your can join the community of the thinking.

[Imal]

The opinions of others are their own to choose. Why does this bother you?

[FLAMING DEATH]

"Mozilla is essentially a black hole. Practically nobody is using it. Hence, nobody cares about attacking. "

That's fine with me. I don't care whether or not the increased security comes about as a result of the actual build quality of the software, or the fact that people don't want to attack it because it isn't as common as Internet Explorer. I am confident, however, that in a head to head comparison, Mozilla is every bit as secure as IE.

Plus, fewer people downloading the new builds means more bandwidth for me.

Bottom line is, in my opinion, Mozilla exceeds IE in functionality, configurability and speed, and I am less likely to suffer security vulnerabilties to boot, for whatever reason. It's a no brainer for me. I can't stick with IE because people attack Mozilla less. Especially considering how much easier it makes surfing the Web.

And, I'm sure that IE is a no-brainer for you. That's great, if you like it. I liked it too, but then again, the only other thing I'd tried was Netscape, and an early version of it at that. I would still encourage you to give it a try if you haven't. You might like it.

[E Rocc]

Mozilla is essentially a black hole. Practically nobody is using it.

I use it with a dialup AOL connection and Free Republic loads a lot faster. I've started using it for other stuff as well.

-Eric

[TechJunkYard]

My purpose was to show that essentially the same bugs exist in both browsers. You're doing everything you can to pretend, because the outward manifestation of the bug (ie. the display of the incorrectly-parsed URL in the status bar) is different, that the underlying bug is somehow different. Wrong.

It's not hard to see why Microsoft produces the crap that it does, when a "developer" like yourself takes the 10,000 foot view and alleges that bugs in two different browsers, which manifest themselves differently, with different effects and totally different risks for their users, are somehow the "same issue" or "same bug".

I'll grant you that a buffer overflow in two separate programs qualifies for "same bug" treatment; as the exploitation and result (and remedy!) are similar, but I'd say that you're way off-base with this one, dude.

Come down from the clouds sometime and note the details.