homepage Welcome to WebmasterWorld Guest from 54.211.47.170
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / HTML
Forum Library, Charter, Moderators: incrediBILL

HTML Forum

    
IE Vulnerability: Address Bar Spoofing
pageoneresults




msg:591105
 7:14 pm on Apr 17, 2006 (gmt 0)

2006-04-04 - Internet Explorer Window Loading Race Condition Address Bar Spoofing
[secunia.com...]

Please note, there is no fix for this vulnerability from MS as of yet. Secunia advises to Disable Active Scripting support.

Description:
Hai Nam Luke has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to conduct phishing attacks.

The vulnerability is caused due to a race condition in the loading of web content and Macromedia Flash Format files (".swf") in browser windows. This can be exploited to spoof the address bar in a browser window showing web content from a malicious web site.

Secunia has constructed a test, which can be used to check if your browser is affected by this issue:

[secunia.com...]

The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP1/SP2. The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (March edition). Other versions may also be affected.


 

Dinkar




msg:591106
 8:26 pm on Apr 17, 2006 (gmt 0)

Try some alternate browser like FireFox.

trillianjedi




msg:591107
 8:45 pm on Apr 17, 2006 (gmt 0)

Ouch, that's nasty - thanks for the heads up.

tstaheli




msg:591108
 9:16 pm on Apr 17, 2006 (gmt 0)

Another day, another patch.

encyclo




msg:591109
 9:25 pm on Apr 17, 2006 (gmt 0)

Try some alternate browser like FireFox

But if you do, make sure you patch that too [webmasterworld.com]. :)

Whilst IE vulnerabilities are much more frequent, the latest Firefox bug is much more serious than this particular IE one.

Jon_King




msg:591110
 10:37 pm on Apr 17, 2006 (gmt 0)

Thanks for that pageonresults.

I do think that vulnerabilities are here to stay and appreciate WebmasterWorld especially for the members wise to this fact. I've long since moved-on from considering a secure OS. The complexity of what we want, makes that an impossibility. If we have the minds capable of securing a network decide what is possible and what's not, we would be secure but less useful. Be the judge, it's a crap shoot to me.

tsheridan




msg:591111
 10:58 pm on Apr 17, 2006 (gmt 0)

Mine says .google.ca - is this the same thing as .google.com, in this instance?

pageoneresults




msg:591112
 11:20 pm on Apr 17, 2006 (gmt 0)

Mine says .google.ca - is this the same thing as .google.com, in this instance?

Yes. If you were not open to this vulnerability, you would end up at the Secunia website.

[secunia.com...]

Don_Hoagie




msg:591113
 12:48 pm on Apr 18, 2006 (gmt 0)

You know what would be a scary application of this?

Tie it in with the hack that changes your browser's home page... imagine your homepage got taken over and yet it still rendered as google.com / yahoo.com / msn.com... How many Gmail / Yahoo Mail /Hotmail users would innocently input their user/pass to those spoofed pages? Google is my homepage, and I can tell you right now that I wouldn't have the slightest idea that I was getting conned if they designed the pages right. (And it's oh-so-tough to recreate Google pages, isn't it?)

donpps




msg:591114
 1:37 pm on Apr 18, 2006 (gmt 0)

I tried to manually change the google spoof page to https://www.google.com and got the original google page.

Question: Are secure websites are protected from this vulnerability?

Xyzi




msg:591115
 2:34 pm on Apr 18, 2006 (gmt 0)

You know what would be a scary application of this?...

Actually that's already possible by just modifying the hosts-file.

mack




msg:591116
 4:02 pm on Apr 18, 2006 (gmt 0)

Actually that's already possible by just modifying the hosts-file.

Very true, and it would work with any browser the user had installed, not just IE. Address bar spoofing it a very similar concept, thankfully IE7 addresses this issue to an extent by letting you know in no uncertain terms that the certificate does not match the domain. By letting you know I mean red address bar and full page error message before it will let you proceed.

Mack.

beebware




msg:591117
 9:50 pm on Apr 18, 2006 (gmt 0)

Actually, IE 6.0 on my Win XP SP2 box initally failed this exploit. I just got Google on the Google URL - however, moving the window aside, I had to dialog boxes asking me to "Allow sub-frames to navigate across different domains?". Clicking "No" keeps Google.co.uk shown in the URL bar with the contents of the site being Google - clicking "Yes" (to both dialog boxes) shows the exploit with Google.co.uk in the URL bar and Secunia's site in the window.

JudgeJeffries




msg:591118
 1:44 am on Apr 19, 2006 (gmt 0)

"disable active scripting"
How? Where? I cant find it.

Swanson




msg:591119
 2:47 am on Apr 19, 2006 (gmt 0)

I just tried it using IE 6 and it was fine - the URL was not Google in the address bar.

Swanson




msg:591120
 2:51 am on Apr 19, 2006 (gmt 0)

Just to clarify - XP Home with IE 6 fully patched.

pageoneresults




msg:591121
 4:05 pm on Apr 19, 2006 (gmt 0)

Quick question. Anyone having any problems with their IE after performing the above test from Secunia?

mack




msg:591122
 4:13 pm on Apr 19, 2006 (gmt 0)

I tried the test, and my system was found to be venerable. No ill effects since I tested though? What have you been seeing?

Mack.

zafile




msg:591123
 4:22 pm on Apr 19, 2006 (gmt 0)

The Secunia alert seems valid for people with bad habits while browsing. People browsing porn should be worried about the vulnerability.

However, the alert is mainly hype for Secunia. The link in the top of the WebmasterWorld homepage only enhances such hype.

I think is time for WebmasterWorld to provide better and more relevant content in its homepage.

pageoneresults




msg:591124
 4:23 pm on Apr 19, 2006 (gmt 0)

What have you been seeing?

Well, yesterday I had some major issues with the temp cache (IE) being flooded. Also, something happened with my Norton Spam within Outlook although that may be unrelated.

Since then, I've done full system scans for viruses, etc. All is well.

After dumping the temp cache and reviewing all my running processes (just to be sure), things appear to be back to normal. I don't want to run the test again until I know for sure if others experienced any issues.

pageoneresults




msg:591125
 4:25 pm on Apr 19, 2006 (gmt 0)

The Secunia alert seems valid for people with bad habits while browsing. People browsing porn should be worried about the vulnerability.

Huh? Are you saying that this is linkbait for Secunia? And that the vulnerability only affects those browsing p*rn sites?

abacuss




msg:591126
 9:40 am on Apr 22, 2006 (gmt 0)

Thanks for the information.

wmuser




msg:591127
 2:36 pm on Apr 23, 2006 (gmt 0)

Hard to believe but there is still NO patch for it,IE is still vulnerable,tried it on my PC

whisky1




msg:591128
 4:55 pm on Apr 30, 2006 (gmt 0)

Thanks for the info and advice, i will use firefox first

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / HTML
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved