A vulnerability in Internet Explorer 6.0 for Windows (at least),
reported earlier this week, may allow miscreants to spoof of the URL
that appears in the Address field at the top of the browser window,
as well as in the status bar in the bottom of the window.
This vulnerability could be used by a rogue site -- on or off
campus -- that masquerades as the campus's Authentication Web Server
(AWS) page, for instance, or any other campus site requiring
authentication for access to services. It could potentially also be
used by perpetrators of scams, such as those attempting to harvest
PayPal and eBay passwords and other personal and financial data from
unsuspecting users.
The exploit is simple. When clicking the URL:
http://www.trusted_site.com%01%00@malicious_site.com/
you will actually be taken to <http://malicious_site.com>, but the
URL will appear in Internet Explorer's Address field and status bar
as <http://www.trusted_site.com>.
Here's a summary description, with a link to a test you can perform
in your browser:
http://www.secunia.com/advisories/10395/
There's also a summary in a CNet news article earlier this week:
"IE bug lets fake sites look real"
http://news.com.com/2100-7355_3-5119440.html?tag=nefd_pop
>Microsoft on Tuesday said it was looking into reports of a potential
>bug in its Web browser that could help malicious hackers design
>convincing Web site spoofs. ...
>
>Malicious hackers frequently lure victims to convincing replicas of
>e-commerce sites such as eBay, where they're tricked into handing
>over financial and other private information. The method is said to
>be a key tool in credit card and identity theft.
>
>Savvy Web surfers often figure out the ruse from irregularities in
>the Web address. But in the method described... IE could allow the
>address bar for the spoofed eBay site, for example, to read
>"ebay.com."
>
>"Microsoft is investigating new public reports of a possible
>vulnerability in Internet Explorer," the company said in a
>statement. "We have not been made aware of any active exploits of
>the reported vulnerabilities or customer impact at this time, but we
>are aggressively investigating the public reports."
>
>Microsoft did not set a timetable for its investigation, but said it
>may eventually release a patch to address the problem. ...
>
>Microsoft faulted security mavens for publicizing the flaw, implying
>that they hadn't given Microsoft sufficient time to craft a patch.
Several additional news articles are linked from:
http://www.securityfocus.com/archive/1/347335/2003-12-09/2003-12-15/2
Aron Roberts
Workstation Software Support Group
P.S. As one more data point, in Microsoft Internet Explorer 5.2.3 for
Mac OS X, this exploit does not spoof the URL in the Address field,
but it does spoof the URL in the status bar.
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Fri Dec 12 15:36:17 2003
This archive was generated by hypermail 2.1.8 : Fri Dec 12 2003 - 15:36:18 PST