Comments on: Nasty new IE hole

Nasty new IE hole

dejah420 — Tue, 09 Dec 2003 14:28:08 -0800

A new MS Internet Explorer vulnerability is discovered. Most digerati already know about the spammer and lamer trick to publish URLs that look like legitimate hostnames to fool people in to trusting a malicious site. This trick is frequently used by spammers to steal people's PayPal accounts, by tricking them in to "resetting" their password at a site owned by the spammer but disguised as PayPal.com. Today's new IE vulnerability is significantly worse. By including an 0x01 character after the @ symbol in the fake URL, IE can be tricked in to not displaying the rest of the URL at all. Don't expect a patch right way, the guy who found the hole released it to BugTraq on the same day he notified Microsoft. (via Simon Willison)

By: dejah420

dejah420 — Tue, 09 Dec 2003 14:29:58 -0800

d'oh! right *away*. Sigh.

By: boltman

boltman — Tue, 09 Dec 2003 14:33:12 -0800

Thank God for Mozilla

By: RylandDotNet

RylandDotNet — Tue, 09 Dec 2003 14:33:16 -0800

Don't expect a patch ~~right away~~ ever. They may do a service pack, but then again they may not. I don't think this bug is any more critical than any of the other many, many bugs that aren't going to get patched. Isn't this supposed the final release of a stand-alone IE browser?

By: dejah420

dejah420 — Tue, 09 Dec 2003 14:36:03 -0800

Thank God for Mozilla. Agreed. The complete url is visible using Moz1.6a...can't speak to any earlier versions. Isn't this supposed the final release of a stand-alone IE browser? Oh, gods forbid. *shudder*

By: monju_bosatsu

monju_bosatsu — Tue, 09 Dec 2003 14:39:11 -0800

IE 6 is the last version that will be released before Longhorn comes out, as I understand the situation. MS has basically said they will not be supporting any browser between now and then. May I recommend Firebird?

By: riffola

riffola — Tue, 09 Dec 2003 14:47:51 -0800

The test URL: http://www.microsoft.com%01@zapthedingbat.com/security/ex01/vun2.htm doesn't work as intended in IE6 SP1, I see http://zapthedingbat.com/security/ex01/vun2.htm in the address bar instead of http://www.microsoft.com

By: costas

costas — Tue, 09 Dec 2003 15:03:28 -0800

MS will still support (and presumably improve, but I have my doubts) the IE engine which will just be a part of the OS. Conspiracy theories aside, putting the HTML renderer into the OS makes perfect sense these days --and it's the same route that OSX, KDE and to a lesser extent Gnome are going.

By: dejah420

dejah420 — Tue, 09 Dec 2003 15:09:05 -0800

Riff...weird. Using IE 6.0.28, sp1, when I click the button, it takes me to a page that purports to be microsoft.com. I wonder if you installed an update that I didn't which blocks the hole...or if I installed one that you didn't that opened it. Hmmmm...now I'll have to go turn on other computers and check various versions. Perhaps do a clean, non patched install, and test it with each patch to see if I can nail down where the hole gets opened...or perhaps closed. If you get a chance, could you email me your configuration, and I'll see if I can get some other coders working on why you don't have the hole...perhaps we can find a way to patch it for everyone, and we won't have to wait for MS to do something. Also, I'm just really curious...and I love taking things apart just so I can put them together again. ;)

By: Nauip

Nauip — Tue, 09 Dec 2003 15:26:45 -0800

By including an 0x01 character after the @ symbol in the fake URL

By: mr_crash_davis

mr_crash_davis — Tue, 09 Dec 2003 15:29:23 -0800

Also, note that in the string "location.href=unescape('url')", unescape is key. Without it, the exploit does not work. Copy the source code yourself to a file on your desktop and try it.

By: emelenjr

emelenjr — Tue, 09 Dec 2003 15:31:47 -0800

Safari predictably does nothing with that Test button, and Mac IE 5.2 shows http://www.microsoft.com%01@zapthedingbat.com/security/ex01/vun2.htm in the address bar. It's clear I'm not looking at a Microsoft.com page. The exploit is not a problem for Mac users, AFAIK.

By: phyrewerx

phyrewerx — Tue, 09 Dec 2003 15:56:06 -0800

The Title Bar on my IE6.01 actually says: "http://zapthedingbat.com/security/ex01/vun2.htm" for a split second before the test page with the MSFT logo loads. So on the bright side, if I looked at the Title Bar when ever a web page loads, I'll be fine right...RIGHT? (Screw it, I'm switching to firebird)

By: tiamat

tiamat — Tue, 09 Dec 2003 16:17:35 -0800

No effect on Opera 7.2, FYI.

By: riffola

riffola — Tue, 09 Dec 2003 16:37:10 -0800

I'm using IE 6.0.2800.1106 Update versions: SP1; Q822925; q313829; Q330994; Q828750; Q824145 on 98SE (Don't ask, my regular machine running XP died.)

By: scottandrew

scottandrew — Tue, 09 Dec 2003 16:45:44 -0800

If that exploit page had been more convincingly designed, I would've definitely been fooled. That said, how exactly could you use this? Since the unescape() is needed, that would require JavaScript. And to hide the JavaScript, you'd need to put it in an HTML link or form element and hope the victim's email client supports HTML mail. Otherwise the victim would see all that "javascript:" stuff.

By: ph00dz

ph00dz — Tue, 09 Dec 2003 18:15:26 -0800

I hate it that people don't wait... I mean... come on. This is gonna be the biggest pain in the ass. At least IE is pretty straightforward to patch with the updater now, so it could be worse...

By: piper28

piper28 — Tue, 09 Dec 2003 18:31:42 -0800

Course, even if they fix it, you'd have to wait till the end of a monthly cycle for them to release the fix. Only Microsoft would come up with a policy of only releasing patches monthly when they get criticized for too many patches. I'd rather see more patches in a timely manner than fewer patches delayed who knows how long. Course, the real way not to get nailed with this is not to be an idiot and blindly follow links. If you're stupid enough to blindly fall for some of these attempts to get your passwords in the first place, then odds are you aren't looking at the address anyways. (For the record, works exactly as described on my xp machine).

By: Eloquence

Eloquence — Tue, 09 Dec 2003 19:22:53 -0800

Wait for fake "Donate via Paypal" buttons to pop up all over the net.

By: kjh

kjh — Tue, 09 Dec 2003 21:09:30 -0800

right-click, properties on the target page shows the accurate url. (oh, and of course, all legitimate paypal pages are https. double-click on the lock icon to verify.)

By: drezdn

drezdn — Tue, 09 Dec 2003 22:43:18 -0800

Course, the real way not to get nailed with this is not to be an idiot and blindly follow links. If you're stupid enough to blindly fall for some of these attempts to get your passwords in the first place, then odds are you aren't looking at the address anyways. I agree with you for the most part, but will admit that I've fallen for an email scam once... I got an email that supposedly came from ebay and it was really a password harvester.

By: dinsdale

dinsdale — Tue, 09 Dec 2003 23:58:43 -0800

this is a great example of the general trend for the 'bad guys' to simply bypass security systems. Sort of analogous to 'social engineering' tactics like phoning someone up, pretending to be a tech support person, and asking them for their password. See The Maginot Web "What a sad state of affairs. The CA-signed certificate, far from being the key to browsing security, is the Maginot Line that preserves the masses in a state of blissful ignorance. "It works perfectly against the attacks conceived and theorised as the dramatic threat to mankind, commerce and the Internet, a decade ago. Problem is, the attackers bypassed it, with as much disdain as any invading army against the last war's dug-in defence. "Problem is, the security model had unreasonable expectations. Problem is, the users didn't subscribe to their part of the protocol. (To be fair, it's hard to communicate to users that they are even expected to be part of anything.) "Problem is, the browser manufacturers that were sold on the need for the certs also got sold on the convenience of click and launch. So, they turned around and sold the security model down the river faster than one can say "check the URL..."

By: quonsar

quonsar — Wed, 10 Dec 2003 00:21:35 -0800

cough.

By: skallas

skallas — Wed, 10 Dec 2003 01:44:06 -0800

If you're switching to Firebird, there's a windows installer out there that makes installing plug-ins and such much eaiser. For some reason mozdez.org is down right now. Of course Mozilla comes with its own installer and the beta of 1.6 just came out. Also, the Mozilla Thunderbird email client just hit version .4, I'm assuming the vector for this attack will be through email.

By: bwerdmuller

bwerdmuller — Wed, 10 Dec 2003 03:40:57 -0800

I'm a Firebird user, but use MSIE for development purposes. I note that this exploit fools the Google Toolbar (a test page I set up claiming to be whitehouse.gov got a pagerank of 10), so this could have very nasty implications for people foolish enough to set software to automatically fill in usernames and passwords. Like, for example, the Google Toolbar. Does anyone know if it fools MSIE's own auto-password functions?

By: Blue Stone

Blue Stone — Wed, 10 Dec 2003 05:45:49 -0800

I notice that if you use the Avant IE6 browser interface, the url is shown to be bogus. The only difference between it and Mozilla, is that Avant shows a vertical bar, in bold, as opposed to the %01 before the "@". I don't know about the other IE6 modification browsers out there, but perhaps they're all worth checking out if you're attatched to IE6 [god have mercy on your soul.]

By: oissubke

oissubke — Wed, 10 Dec 2003 06:09:42 -0800

I love my Avant browser. It took me a second to realize that the reason I was seeing the URL correctly was because I wasn't using IE....

By: nicwolff

nicwolff — Wed, 10 Dec 2003 07:00:52 -0800

kjh, this trick would work just fine under HTTPS, since the browser doesn't know it's not showing the actual hostname. The lock icon will appear, so unless the user is in the habit of double-clicking it to verify every HTTPS page, they will think they're seeing a secure page from Paypal.

By: Tlogmer

Tlogmer — Wed, 10 Dec 2003 18:56:40 -0800

A bigger problem is MS's braindead decision to have the status bar hidden by default.

By: yerfatma

yerfatma — Fri, 12 Dec 2003 06:14:49 -0800

Looks like Mozilla is partially vulnerable too.