Massive IE phishing exploit discovered

ZDNet ^ | December 17, 2004 | Dan Ilett

[holymoly]

Even SP2 versions of Microsoft's Internet Explorer are vulnerable to a spoofing exploit published yesterday.

A vulnerability researcher posted details of a dangerous Internet Explorer (IE) flaw on Thursday that allows phishers to spoof Web sites more realistically than ever before.

According to security company Secunia, Paul from Greyhats -- a research group -- has published details of a vulnerability that can be exploited to spoof the content of any Web site.

Using the exploit, scammers are able to manipulate all versions of IE, including Windows XP SP2 -- the latest and most secure version of the browser -- and spoof the URL and SSL signature padlock located at the bottom of the browser screen.

The vulnerability is caused by a cross-site scripting vulnerability in the DHTML Edit ActiveX control, but because the flaw is within the browser, it can be used against any Web site, Secunia said.

"That is huge," said Thomas Kristensen, chief technology officer for Secunia. "When you cross-site script a Web site, the user can’t see that anything unusual is happening. The URL looks like it's a legitimate site and if you go to the SSL padlock, it will show a certificate for the site even though it is controlled by malicious scripting."

"The malicious Web site can control what is seen in the address bar. People still don't realise the significant impact of cross-site scripting. This is the vulnerability that phishers and scammers have been looking for. You could also steal cookies from any Web site," Kristensen warned.

"The most likely outcome is a phishing email, where users click on a link, then open the browser. They then briefly see the URL of the malicious Web site, and then see the scam Web site," Kristensen added.

Nick McGrath, Microsoft's security spokesman, and the Microsoft UK security team was unavailable to comment at the time of writing because they are in the United States. The company has previously frowned upon researchers who have posted exploits without letting it know first.

Kristensen said he was unsure why Paul chose to publish the exploit before informing Microsoft. Secunia has developed an exploit test on its Web site which is available for download.

Secunia has labelled the vulnerability as "moderately critical" because people cannot use it to access systems.

[holymoly]

Alternatives to Microsoft Internet Explorer:

Mozilla/Firefox (Open Source/Freeware)
Opera (Shareware)
Off By One (Freeware)

[Dog Gone]

Wonderful

[frog_jerk_2004]

Firefox - The BEST!

[frog_jerk_2004]

IE - Just Say No!

[Terabitten]

That's why I use FireFox.

[ShadowAce]

Browser Ping

[wolficatZ]

I didn't realise my google home page had been hijacked to a google clone..www.about.blank.org.

Sneaky. And I have tons of protection running.. Hrmmm

[Fatalis]

FYI

[DCPatriot]

Just changed from IE to Firefox....surprised (not really) to see that the default homepage is GOOGLE.

[Bloody Sam Roberts]

Firefox - The BEST!

[holymoly]

Just changed from IE to Firefox....surprised (not really) to see that the default homepage is GOOGLE.

Change it.
Firefox Help: Options

[KoRn]

"Just changed from IE to Firefox....surprised (not really) to see that the default"

Now that you have changed to Firefox, go to this thread to help you out.... if you are on a Broadband Internet connection.

How To Speed Up Firefox (Helpful Vanity)

[wouldilie]

I've been using the Avant browser and really like it. I prefer it to Firefox and Mozilla because a lot of the plugins that I use work with Avant and not Firefox or Mozilla. But I never see Avant discussed when people talk about security vulnerability. Does Avant have the same problems as IE or is it more immune??

[holymoly]

Does Avant have the same problems as IE or is it more immune??

As I recall, Avant runs on the IE engine (it requires IE to work).

The browsers I listed are all stand-alone.

In my opinion, if you're going to break with IE, it should be a clean break.

[Graybeard58]

I had the "about blank" problem too until I switched browsers. Any time I rebooted I got "about blank" as my home page. I could change it but it would always come back upon rebooting. I finally got rid of it but I have no problems at all using netscape 7.1 browser.

[RichardW]

I don't believe a browser change will help here although I use Firefox. If the e-mail comes in and you click on it, you will be redirected. I got one the other day and observed the address and it definitely not was from ebay which allegedly needed to "update" my credit card information. Be aware, be very aware.

[Zman]

All Hail KoRn!

[ShadowAce]

I don't believe a browser change will help here although I use Firefox.

One extension that would be helpful here is the Spoofstick extension. It tells you the real URL of the page you are on.

[holymoly]

I don't believe a browser change will help here although I use Firefox.

From the article:
"The vulnerability is caused by a cross-site scripting vulnerability in the DHTML Edit ActiveX control"

I still run a vesion of Mozilla, but I believe that, like Mozilla, Firefox does not use ActiveX.  (I don't know about Opera.)  "Off By One" uses no plugins, java, etc., and so is the most secure browser available.

This and other articles I've read state this is a MSIE-only flaw.

[IamConservative]

I have current IE 6, Windows Xp w/ SP-2. The Secunia test shows my IE browser as vulnerable. I also have Forefox, which I use exclusively for browsing on the same machine - Firefox is not vulnerable. I won't open the test page at all.

The only reason I keep IE is that many things exclusively open IE to display content.

[goldstategop]

If you have Pivx's Qwik Fix software installed, you're protected against this exploit - one for which Microsoft has yet to release a patch.

[hc87]

bump

[TruthNtegrity]

Very useful info. Thanks!

[PjhCPA]

Opera vote ping

[upchuck]

FWIW, I did some testing using the link available at http://secunia.com/internet_explorer_cross-site_scripting_vulnerability_test/

Results:

IE v6.0 (non SP2): unsafe
Opera v7.54: safe
Mozilla Firefox v0.8: safe
Netscape v4.74 (a golden oldie): safe

Microsoft must have no quality control whatsoever. Even with the much vaunted XP2, they STILL have serious security problems in Internet Explorer.

Cathedral my butt :) Let's hear it for the bazaar!

[Space Wrangler]

Makes one wonder how the 4.5 MB Firefox is so much more secure than the gargantuan 25 MB IE. It's not a flaw! It's a feature don't you know!! LOL!!! Death to IE!

[TomGuy]

Avant
Fastbrowser
Maxthon

and several others use the IE engine.

I have used Fastbrowser for several years because it was one of the first tabbed browsers (nice for FR viewing) and it had built-in speech (again, nice for FR, especially for long news articles).

FireFox has both, now--tabs and speech. I am using it occasionally, trying to get used to it. If you want speech on FireFox, check out the extension, FoxyVoice. It requires the MS speech engine, which is available free from this link:

http://www.tucows.com/adnload/193770_87093.html

[bkwells]

Another reason to dump IE and use Firefox!

[Tribune7]

I've pretty much given up IE.

[N3WBI3]

bwhahaha what an aweful week for Microsoft, first *wordpad* and now this... Here come the MS guys to tell us that they are just as structurally secure and anyoneone else..

[TomGuy]

Prevx Home is an intrusion prevention software, and it is free for home use.

I'm not sure about this particular security issue, but I've been running Prevx for a few weeks. It alerts to any significant changes to exe's and the registry.

Check it out---it is free and is not a trial or time-limited version.

http://www.prevx.com/prevxhome.asp

[zoobee]

How does this affect us AOL users....

[holymoly]

I've pretty much given up IE.

Wise decision.  I just stumbled across this:

---

Firefox is hot; Thunderbird's not — for good reason

"This week, Microsoft announced five new security flaws in IE, bringing the total this year to 45 — or about 43 more than many people consider tolerable. And last week, Penn State University implored its 80,000-plus students and faculty to stop using IE purely for security's sake."

---

I knew there were many, many bugs & flaws discovered in IE this year, but I had no idea the number was this high.

[holymoly]

How does this affect us AOL users....

Upchuck posted a link to a site where you can test your browser vulnerability. (See post #25 above.)

Sorry, I know virtually nothing about AOL.

[wildbill]

Opera still has free version--but it comes with ads.

[Knitting A Conundrum]

Phishers are constantly out there.

I get at least three-five ebay or paypal phisher email a week, I believe. I even get some from companies I have no account with. I used to turn them all in. Now I just delete them.

But after awhile, you begin to recognize the scripts, like with the "help the nigerian whatever get money out of the country scam" Someone's with an out of country IP has been using your account. Sometimes you get a message like a very large purchase was made with your account, and you get an oportunity to cancel if you go to this link. Saw a new one last week for paypal...email informing you that a new email address had been added to your account. If you want to verify it, just click here (and they were using an exploit that made it look like the URL was legit). Being an old hand at this, I went directly on another page to PP, and lo and behold, nothing of the kind had happened.

Phishers are evil and should be burned at the stake.

[Knitting A Conundrum]

I only use IE for the rare page that won't work with anything else. I like mozilla products, myself. Been using netscape/mozilla since netscape 1. Never did use IE much, and every day means I want to use it less and less. Besides all the bugs, it's ancient technology.

[TomGuy]

Of course, if today most internet users all switched to Browser X, within a week Browser X would be the one getting all the hackings and viruses and trojans and worms.


The havoc creators are going for the most popular one -- biggest bang for their buck, so to speak.

[TChris]

Gosh, I'm sure glad the Dept of Commerce is enforcing the anti-bundling laws so every Windows user doesn't have this huge security hole installed on their... oh, wait. Nevermind.

[Clara Lou]

Thanks for the info on the spoofstick extension-- just downloaded it.

[N3WBI3]

Thats logically unsound. The two systems are built differently, meaning they are not equally vulnerable to attack. Would as many people try to attack it? sure but that does not mean they would succeede as much..

Put it this way, if 10 million people drive a yugo, and another ten million drive a saab (and all 10 million are identical) there will probably be just as many accidents in either case but the mortality rate will not be equal..

[Ernest_at_the_Beach]

Not sure how you check, but if it uses ActiveX ,.......then it is vulnerable. Maybe why some of you stuff only works with it.....

[ShadowAce]

Right-click on the link and choose "Open in new tab."

[TomGuy]

they are not equally vulnerable

True, and I didn't say they were equal. But, they are vunerable. The level of vunerability depends on the level of interest in seeking out, exposing, and then using that vunerability.

If 200 million start using Firefox, for example, and 10 continue to to use IE and the rest (all 12) are Mac users, they aren't going to continue attacking IE. But they will seek methods against Firefox.

It is in the numbers. As I said, 'more bang for the buck.'

Firefox is not extensively vunerable now, because all the potential vunerabilities haven't been exposed, because few hackers are looking at Firefox---yet. Same with Mac's. Same with Linux.

Seven years ago, when Netscape was the premier browser and IE was just a straggler, hackers had little interest in IE. The same is true with virus makers and trojan makers. They design for the type of OS or browser that will spread their evil best--meaning, most extensively.

[TomGuy]

In Firefox, download the extensions for tabbed browsing. They give you options for making the tabs more usable.

Tabbing takes a bit of getting used to. You might read the help file for tabbed browsing. [I just right click and select 'open in new tab' for news links off of the News/Activism list page.]

[webstersII]

"Of course, if today most internet users all switched to Browser X, within a week Browser X would be the one getting all the hackings and viruses and trojans and worms."

Wrong. It's not just a question of popularity and number of users. Microsoft/IE has certain vulnerable spots which other browsers don't have. ActiveX is a security nightmare, for example. The Java-based browser security is much better.

[A CA Guy]

I agree, was a great movie.

[mhking]

[Ernest_at_the_Beach]

Nice Icon.