This works in everything except IE

Who's laughing now? :)

Seriously tho', I can see this becoming a major issue once these lowlifes phishers get hold of it. Should be interesting to watch!

You missed the part where there are serveral plugins for IE being pushed by Verisign (Network Solutions) and others to enable IDN. This "feature" could easily be triggered by activex. Any person worldwide who visits non-english domains probably has this plugin installed already. It won't show up on any list of bad plugins or spyware - because it has positive uses too.

By the way, mac users are the most vulnerable (for a change) because of Safari's IDN support.

That I did. Even so, I'd like to know just how many IE users have that plugin installed - in my own experience, I've only come across a couple of IDN domains, all of them Arabic.
I was looking through verisigns site for anything about IDN plugin usage, but couldn't find any market research from later than 2003. ( [verisign.com...] ). This study concluded that "The primary reason for purchasing IDNs is for protection" and that "they are less likely to have a site or email associated with them".

I find it suspicious that there's nothing more recent about them - strikes me the results weren't good enough for them to publish.

The German domain name market is actually bigger than any other country and they use IDN. So do the French, etc.

It's simply not popular in english speaking countries because you need a special keyboard to be able to enter the special characters (in a quick manner).

examples of IDN domain names [i-dns.net]

Yes, I see that the germans have just extended their support for IDN in the .org domain "due to public demand". And that the Chinese gov is pushing for more chinese IDN support.

I see that up to 8% of all registered domains are IDN, which is we take 66.8M TLDs as being currently registered gives us aprox 5,344,000 IDN TLDs worldwide.

Added: According to Verisign, the IDN plugin for IE autochecks for updates every 24 hours. So if they fix this hole they should be able to fix all vul versions of IE pretty quickly.

I'm not sure if the Verisign patch will be effective. It would be trivial to combine this with another year old known vuln in IE/Outlook:

<a href="http://www.microsoft.com/"><table><tr><td><a 
href="http://www.google.com/">http://www.microsoft.com</td></tr></table></a>

Try it then run you mouse over the link using IE. When you mouseover the link, it should even show MS in the status bar. (NB: IE is is the only browser vulnerable to this form of link spoof. Outlook is the only email client vulnerable. This vulnerbaility was first noticed almost a year ago.)

Combine that with this, so the user is sent to the IDN which 301 redirects, and you have a heck of a whammy.

One surprising part of the story is the attitude of Opera Software, who consider that their implementation of IDNs is correct and so they have declined to make any changes. With such an inadequate response, perhaps Wells Fargo [webmasterworld.com] are right after all?

Who's laughing now? :)

Yeah, but the score is still:

Internet Explorer: 2
Mozilla-Firefox United: 876

or something ;)

However, part of the problem with phishing isn't just browsers, it's often email clients. Eudora 6.2 comes with a built-in antiphishing tool called ScamWatch which compares the "displayed" URL with the "actual" URL and warns you if it's deceptive. It's a useful tool, and hardly rocket science. How it would cope with Unicode URLs I don't know though.

Thanks very much for sharing this amznVibe. Only this morning I received a clear phishing email with an apparent link to paypal.com and I didn't have a clue how they had done it. I didn't actually click on the link, but if I had I would have opened it in Firefox and been none the wiser if I had been unwary.

It would be trivial to combine this with another year old known vuln in IE/Outlook:

This was patched by the vendor in August 2004:

[support.microsoft.com...]

A note to those implementing the Firefox workaround: it doesn't work. When you first set

network.enableIDN

to false, IDNs are disabled - but once you restart the browser the value remains false but the IDNs work again. So, we have a bug compounded by another bug, and a false sense of security brought about by a broken workaround.

I am not so sure that is correct.
I think IDN LOOKUPS are disabled when you set to false.
If it's in your dns cache already it will still work.

Here's a possible workaround to make it change the setting on startup everytime:
put this into user.js (using the chrome edit extension)

user_pref("network.enableIDN", false);

Really I think Firefox should change the address area's color when an IDN is present and I would bet an extension for that will be out within 48 hours.

An MSDN blog on the issue:
[blogs.msdn.com...]

ICANN's notes on the issue:
[icann.org...]

URL punycode explained at wikipedia:
[en.wikipedia.org...]

This was patched by the vendor in August 2004:

[support.microsoft.com...]

Oh really? I have that patch, and it's about 50/50 effective.

To me, that means the vuln is unpatched.

Hmmm *makes paypal spoof site*

So how long before we see a patch for Firefox?

I checked out the Firefox support forums, and the nightly builds already have this fixed... it just hasn't made it out to the "stable release" area yet.

A temporary workaround that "sticks" on Firefox has been posted:

you need to edit to your compreg.dat
For windows
c:\Documents and Settings\$USER\Application Data\Mozilla\Firefox\Profiles\default.random\compreg.dat
For UNIX
~/.mozilla/firefox/default.random/compreg.dat

Open this file with a text editor which understands the line endings in it, such as Wordpad (or your favourite text editor on other platforms), and comment out all lines containing IDN by adding # at the start of the line. For example:

# {4byteshex-2byteshex-2byteshex-2byteshex-6byteshex},@mozilla.org/network/idn-service;1,,nsIDNService,rel:libnecko.so

Note that you will have to repeat this edit if you install any themes or extensions, as compreg.dat gets regenerated.

Correct me if I am wrong, but: doesn't any website that uses Paypal for payments become a potential threat now? All of them require you to click on a link to make payment... :-(

Well it's not just PayPal, it's any link.

Looks like I'm going to start checking the 'view source' on a page before hitting a link to submit a payment.

24 hours to patches and extensions to deal with the problem.
Gotta love Firefox. Anyone can have a bug but how long until its fixed?

For those that need to keep IDN support working, try using the the firefox spoofstick extension
[corestreet.com...]
which has now been updated to highlight domains with extended ascii (IDN) characters:
[jarnot.com...]

ps. don't forget to visit windowsupdate today for your 13 patches to deal with issues months old

Who's laughing now? :)

It isn't that IE's implementation is not vulnerable, it's just that the vulnerability is in a feature that IE doesn't even support

One surprising part of the story is the attitude of Opera Software, who consider that their implementation of IDNs is correct and so they have declined to make any changes. With such an inadequate response, perhaps Wells Fargo are right after all?

Well, their response may be tonedeaf, but it's not "inadequate". The problem isn't in Opera's implementation of IDN (or Mozilla's), but in the IDN spec itself.

It isn't that IE's implementation is not vulnerable, it's just that the vulnerability is in a feature that IE doesn't even support

how about activex?
can we just say: It isn't that Firefox/Opera's implementation is not vulnerable, it's that Firefox/Opera don't even support activex feature.

just joking :)

News update for Firefox:

So, in the mean time, the enableIDN preference will be set to "false" in Firefox 1.0.1 and Mozilla 1.8 beta, including all official localisations. An XPI will be made available to turn it on again; this XPI will make the risks of doing so clear. This means that by default, links to IDN domains which use the Unicode rather than the punycode form for the href will fail, and the browser will display any IDN domain visited in its raw form.

[weblogs.mozillazine.org...]

Firefox fixes this flaw with one heck of a fudge:

[edition.cnn.com...]

Firefox 1.0.1, released last week, shows Web addresses with foreign scripts in code, preceded by the letters "xn." So "paypal.com" with a Cyrillic "a" becomes "xn--pypal-4ve.com."