Nasty new IE hole
December 9, 2003 2:28 PM   Subscribe

A new MS Internet Explorer vulnerability is discovered. Most digerati already know about the spammer and lamer trick to publish URLs that look like legitimate hostnames to fool people in to trusting a malicious site. This trick is frequently used by spammers to steal people's PayPal accounts, by tricking them in to "resetting" their password at a site owned by the spammer but disguised as PayPal.com. Today's new IE vulnerability is significantly worse. By including an 0x01 character after the @ symbol in the fake URL, IE can be tricked in to not displaying the rest of the URL at all. Don't expect a patch right way, the guy who found the hole released it to BugTraq on the same day he notified Microsoft. (via Simon Willison)
posted by dejah420 (28 comments total)
 
d'oh! right *away*. Sigh.
posted by dejah420 at 2:29 PM on December 9, 2003


Thank God for Mozilla
posted by boltman at 2:33 PM on December 9, 2003


Don't expect a patch right away ever.

They may do a service pack, but then again they may not. I don't think this bug is any more critical than any of the other many, many bugs that aren't going to get patched. Isn't this supposed the final release of a stand-alone IE browser?
posted by RylandDotNet at 2:33 PM on December 9, 2003


Thank God for Mozilla.

Agreed. The complete url is visible using Moz1.6a...can't speak to any earlier versions.

Isn't this supposed the final release of a stand-alone IE browser?

Oh, gods forbid. *shudder*
posted by dejah420 at 2:36 PM on December 9, 2003


IE 6 is the last version that will be released before Longhorn comes out, as I understand the situation. MS has basically said they will not be supporting any browser between now and then. May I recommend Firebird?
posted by monju_bosatsu at 2:39 PM on December 9, 2003


The test URL:
http://www.microsoft.com%01@zapthedingbat.com/security/ex01/vun2.htm doesn't work as intended in IE6 SP1, I see http://zapthedingbat.com/security/ex01/vun2.htm in the address bar instead of http://www.microsoft.com
posted by riffola at 2:47 PM on December 9, 2003


MS will still support (and presumably improve, but I have my doubts) the IE engine which will just be a part of the OS. Conspiracy theories aside, putting the HTML renderer into the OS makes perfect sense these days --and it's the same route that OSX, KDE and to a lesser extent Gnome are going.
posted by costas at 3:03 PM on December 9, 2003


Riff...weird. Using IE 6.0.28, sp1, when I click the button, it takes me to a page that purports to be microsoft.com. I wonder if you installed an update that I didn't which blocks the hole...or if I installed one that you didn't that opened it. Hmmmm...now I'll have to go turn on other computers and check various versions. Perhaps do a clean, non patched install, and test it with each patch to see if I can nail down where the hole gets opened...or perhaps closed.

If you get a chance, could you email me your configuration, and I'll see if I can get some other coders working on why you don't have the hole...perhaps we can find a way to patch it for everyone, and we won't have to wait for MS to do something. Also, I'm just really curious...and I love taking things apart just so I can put them together again. ;)
posted by dejah420 at 3:09 PM on December 9, 2003


By including an 0x01 character after the @ symbol in the fake URL
posted by Nauip at 3:26 PM on December 9, 2003


Also, note that in the string "location.href=unescape('url')", unescape is key. Without it, the exploit does not work.

Copy the source code yourself to a file on your desktop and try it.
posted by mr_crash_davis at 3:29 PM on December 9, 2003


Safari predictably does nothing with that Test button, and Mac IE 5.2 shows
http://www.microsoft.com%01@zapthedingbat.com/security/ex01/vun2.htm
in the address bar. It's clear I'm not looking at a Microsoft.com page. The exploit is not a problem for Mac users, AFAIK.
posted by emelenjr at 3:31 PM on December 9, 2003


The Title Bar on my IE6.01 actually says: "http://zapthedingbat.com/security/ex01/vun2.htm" for a split second before the test page with the MSFT logo loads.

So on the bright side, if I looked at the Title Bar when ever a web page loads, I'll be fine right...RIGHT?

(Screw it, I'm switching to firebird)
posted by phyrewerx at 3:56 PM on December 9, 2003


No effect on Opera 7.2, FYI.
posted by tiamat at 4:17 PM on December 9, 2003


I'm using IE 6.0.2800.1106
Update versions: SP1; Q822925; q313829; Q330994; Q828750; Q824145 on 98SE
(Don't ask, my regular machine running XP died.)
posted by riffola at 4:37 PM on December 9, 2003


If that exploit page had been more convincingly designed, I would've definitely been fooled.

That said, how exactly could you use this? Since the unescape() is needed, that would require JavaScript. And to hide the JavaScript, you'd need to put it in an HTML link or form element and hope the victim's email client supports HTML mail. Otherwise the victim would see all that "javascript:" stuff.
posted by scottandrew at 4:45 PM on December 9, 2003


I hate it that people don't wait... I mean... come on. This is gonna be the biggest pain in the ass. At least IE is pretty straightforward to patch with the updater now, so it could be worse...
posted by ph00dz at 6:15 PM on December 9, 2003


Course, even if they fix it, you'd have to wait till the end of a monthly cycle for them to release the fix. Only Microsoft would come up with a policy of only releasing patches monthly when they get criticized for too many patches. I'd rather see more patches in a timely manner than fewer patches delayed who knows how long.

Course, the real way not to get nailed with this is not to be an idiot and blindly follow links. If you're stupid enough to blindly fall for some of these attempts to get your passwords in the first place, then odds are you aren't looking at the address anyways.

(For the record, works exactly as described on my xp machine).
posted by piper28 at 6:31 PM on December 9, 2003


Wait for fake "Donate via Paypal" buttons to pop up all over the net.
posted by Eloquence at 7:22 PM on December 9, 2003


right-click, properties on the target page shows the accurate url. (oh, and of course, all legitimate paypal pages are https. double-click on the lock icon to verify.)
posted by kjh at 9:09 PM on December 9, 2003


Course, the real way not to get nailed with this is not to be an idiot and blindly follow links. If you're stupid enough to blindly fall for some of these attempts to get your passwords in the first place, then odds are you aren't looking at the address anyways.

I agree with you for the most part, but will admit that I've fallen for an email scam once... I got an email that supposedly came from ebay and it was really a password harvester.
posted by drezdn at 10:43 PM on December 9, 2003


this is a great example of the general trend for the 'bad guys' to simply bypass security systems. Sort of analogous to 'social engineering' tactics like phoning someone up, pretending to be a tech support person, and asking them for their password.

See The Maginot Web

"What a sad state of affairs. The CA-signed certificate, far from being the key to browsing security, is the Maginot Line that preserves the masses in a state of blissful ignorance.

"It works perfectly against the attacks conceived and theorised as the dramatic threat to mankind, commerce and the Internet, a decade ago. Problem is, the attackers bypassed it, with as much disdain as any invading army against the last war's dug-in defence.

"Problem is, the security model had unreasonable expectations. Problem is, the users didn't subscribe to their part of the protocol. (To be fair, it's hard to communicate to users that they are even expected to be part of anything.)

"Problem is, the browser manufacturers that were sold on the need for the certs also got sold on the convenience of click and launch. So, they turned around and sold the security model down the river faster than one can say "check the URL..."

posted by dinsdale at 11:58 PM on December 9, 2003


cough.
posted by quonsar at 12:21 AM on December 10, 2003


I'm a Firebird user, but use MSIE for development purposes. I note that this exploit fools the Google Toolbar (a test page I set up claiming to be whitehouse.gov got a pagerank of 10), so this could have very nasty implications for people foolish enough to set software to automatically fill in usernames and passwords. Like, for example, the Google Toolbar. Does anyone know if it fools MSIE's own auto-password functions?
posted by bwerdmuller at 3:40 AM on December 10, 2003


I notice that if you use the Avant IE6 browser interface, the url is shown to be bogus.
The only difference between it and Mozilla, is that Avant shows a vertical bar, in bold, as opposed to the %01 before the "@".
I don't know about the other IE6 modification browsers out there, but perhaps they're all worth checking out if you're attatched to IE6 [god have mercy on your soul.]
posted by Blue Stone at 5:45 AM on December 10, 2003


I love my Avant browser. It took me a second to realize that the reason I was seeing the URL correctly was because I wasn't using IE....
posted by oissubke at 6:09 AM on December 10, 2003


kjh, this trick would work just fine under HTTPS, since the browser doesn't know it's not showing the actual hostname. The lock icon will appear, so unless the user is in the habit of double-clicking it to verify every HTTPS page, they will think they're seeing a secure page from Paypal.
posted by nicwolff at 7:00 AM on December 10, 2003


A bigger problem is MS's braindead decision to have the status bar hidden by default.
posted by Tlogmer at 6:56 PM on December 10, 2003


Looks like Mozilla is partially vulnerable too.
posted by yerfatma at 6:14 AM on December 12, 2003


« Older Fan and Ball   |   Happy Christmas, from Ozzy Newer »


This thread has been archived and is closed to new comments