Welcome to WebmasterWorld Guest from 54.158.29.163

Forum Moderators: incrediBILL

Message Too Old, No Replies

IE Vulnerability: Address Bar Spoofing

     
7:14 pm on Apr 17, 2006 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member pageoneresults is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 27, 2001
posts:12169
votes: 55


2006-04-04 - Internet Explorer Window Loading Race Condition Address Bar Spoofing
[secunia.com...]

Please note, there is no fix for this vulnerability from MS as of yet. Secunia advises to Disable Active Scripting support.

Description:
Hai Nam Luke has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to conduct phishing attacks.

The vulnerability is caused due to a race condition in the loading of web content and Macromedia Flash Format files (".swf") in browser windows. This can be exploited to spoof the address bar in a browser window showing web content from a malicious web site.

Secunia has constructed a test, which can be used to check if your browser is affected by this issue:

[secunia.com...]

The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP1/SP2. The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (March edition). Other versions may also be affected.

8:26 pm on Apr 17, 2006 (gmt 0)

Full Member

10+ Year Member

joined:July 12, 2002
posts:207
votes: 1


Try some alternate browser like FireFox.
8:45 pm on Apr 17, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member trillianjedi is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 15, 2003
posts:7242
votes: 0


Ouch, that's nasty - thanks for the heads up.
9:16 pm on Apr 17, 2006 (gmt 0)

Junior Member

10+ Year Member

joined:Mar 6, 2003
posts:109
votes: 0


Another day, another patch.
9:25 pm on Apr 17, 2006 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 31, 2003
posts:9068
votes: 4


Try some alternate browser like FireFox

But if you do, make sure you patch that too [webmasterworld.com]. :)

Whilst IE vulnerabilities are much more frequent, the latest Firefox bug is much more serious than this particular IE one.

10:37 pm on Apr 17, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 16, 2002
posts:2133
votes: 1


Thanks for that pageonresults.

I do think that vulnerabilities are here to stay and appreciate WebmasterWorld especially for the members wise to this fact. I've long since moved-on from considering a secure OS. The complexity of what we want, makes that an impossibility. If we have the minds capable of securing a network decide what is possible and what's not, we would be secure but less useful. Be the judge, it's a crap shoot to me.

10:58 pm on Apr 17, 2006 (gmt 0)

New User

10+ Year Member

joined:May 25, 2005
posts:37
votes: 0


Mine says .google.ca - is this the same thing as .google.com, in this instance?
11:20 pm on Apr 17, 2006 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member pageoneresults is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 27, 2001
posts:12169
votes: 55


Mine says .google.ca - is this the same thing as .google.com, in this instance?

Yes. If you were not open to this vulnerability, you would end up at the Secunia website.

[secunia.com...]

12:48 pm on Apr 18, 2006 (gmt 0)

Preferred Member

10+ Year Member

joined:Aug 11, 2005
posts:386
votes: 0


You know what would be a scary application of this?

Tie it in with the hack that changes your browser's home page... imagine your homepage got taken over and yet it still rendered as google.com / yahoo.com / msn.com... How many Gmail / Yahoo Mail /Hotmail users would innocently input their user/pass to those spoofed pages? Google is my homepage, and I can tell you right now that I wouldn't have the slightest idea that I was getting conned if they designed the pages right. (And it's oh-so-tough to recreate Google pages, isn't it?)

1:37 pm on Apr 18, 2006 (gmt 0)

Junior Member

10+ Year Member

joined:July 9, 2003
posts:91
votes: 0


I tried to manually change the google spoof page to [google.com...] and got the original google page.

Question: Are secure websites are protected from this vulnerability?

Xyzi

2:34 pm on Apr 18, 2006 (gmt 0)

Inactive Member
Account Expired

 
 


You know what would be a scary application of this?...

Actually that's already possible by just modifying the hosts-file.

4:02 pm on Apr 18, 2006 (gmt 0)

Moderator from GB 

WebmasterWorld Administrator mack is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:June 15, 2001
posts:7564
votes: 4


Actually that's already possible by just modifying the hosts-file.

Very true, and it would work with any browser the user had installed, not just IE. Address bar spoofing it a very similar concept, thankfully IE7 addresses this issue to an extent by letting you know in no uncertain terms that the certificate does not match the domain. By letting you know I mean red address bar and full page error message before it will let you proceed.

Mack.

9:50 pm on Apr 18, 2006 (gmt 0)

New User

10+ Year Member

joined:Sept 14, 2002
posts:32
votes: 0


Actually, IE 6.0 on my Win XP SP2 box initally failed this exploit. I just got Google on the Google URL - however, moving the window aside, I had to dialog boxes asking me to "Allow sub-frames to navigate across different domains?". Clicking "No" keeps Google.co.uk shown in the URL bar with the contents of the site being Google - clicking "Yes" (to both dialog boxes) shows the exploit with Google.co.uk in the URL bar and Secunia's site in the window.
1:44 am on Apr 19, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 31, 2002
posts:880
votes: 0


"disable active scripting"
How? Where? I cant find it.
2:47 am on Apr 19, 2006 (gmt 0)

Preferred Member

10+ Year Member

joined:July 12, 2004
posts:384
votes: 0


I just tried it using IE 6 and it was fine - the URL was not Google in the address bar.
2:51 am on Apr 19, 2006 (gmt 0)

Preferred Member

10+ Year Member

joined:July 12, 2004
posts:384
votes: 0


Just to clarify - XP Home with IE 6 fully patched.
4:05 pm on Apr 19, 2006 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member pageoneresults is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 27, 2001
posts:12169
votes: 55


Quick question. Anyone having any problems with their IE after performing the above test from Secunia?
4:13 pm on Apr 19, 2006 (gmt 0)

Moderator from GB 

WebmasterWorld Administrator mack is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:June 15, 2001
posts:7564
votes: 4


I tried the test, and my system was found to be venerable. No ill effects since I tested though? What have you been seeing?

Mack.

4:22 pm on Apr 19, 2006 (gmt 0)

Preferred Member

joined:June 2, 2003
posts:376
votes: 0


The Secunia alert seems valid for people with bad habits while browsing. People browsing porn should be worried about the vulnerability.

However, the alert is mainly hype for Secunia. The link in the top of the WebmasterWorld homepage only enhances such hype.

I think is time for WebmasterWorld to provide better and more relevant content in its homepage.

4:23 pm on Apr 19, 2006 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member pageoneresults is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 27, 2001
posts:12169
votes: 55


What have you been seeing?

Well, yesterday I had some major issues with the temp cache (IE) being flooded. Also, something happened with my Norton Spam within Outlook although that may be unrelated.

Since then, I've done full system scans for viruses, etc. All is well.

After dumping the temp cache and reviewing all my running processes (just to be sure), things appear to be back to normal. I don't want to run the test again until I know for sure if others experienced any issues.

4:25 pm on Apr 19, 2006 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member pageoneresults is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 27, 2001
posts:12169
votes: 55


The Secunia alert seems valid for people with bad habits while browsing. People browsing porn should be worried about the vulnerability.

Huh? Are you saying that this is linkbait for Secunia? And that the vulnerability only affects those browsing p*rn sites?

9:40 am on Apr 22, 2006 (gmt 0)

Junior Member

10+ Year Member

joined:Dec 29, 2005
posts:140
votes: 0


Thanks for the information.
2:36 pm on Apr 23, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 25, 2005
posts:677
votes: 0


Hard to believe but there is still NO patch for it,IE is still vulnerable,tried it on my PC
4:55 pm on Apr 30, 2006 (gmt 0)

New User

joined:Apr 30, 2006
posts:4
votes: 0


Thanks for the info and advice, i will use firefox first