New Internet Explorer Security Issue
Thread Starter
Joined: Mar 2002
Posts: 448
Likes: 0
From: London, UK
New Internet Explorer Security Issue
According to the discoverers:
There is a a bug in the way that Internet Explorer displays URLs in the address bar.
By opening a specially crafted URL an attacker can open a page that appears to be from a different domain from the current location.
By opening a window using the http://user@domain nomenclature an attacker can hide
the real location of the page by including a 0x01 character after the "@" character.
Internet Explorer doesn't display the rest of the URL making the page appear to be at a different domain.
A benign demonstration can be found at http://www.zapthedingbat.com/security/ex01/vun1.htm
This is particularly relevant (to UK viewers, at least) as there has been a spate of scam emails recently, trying to persuade victims to "log on" to the websites of well-known high street banks, because the user purportedly needs to update/reactivate/other bogus excuse their account. The user is then covertly redirected to the fraudsters site, who promptly harvests the bank details of those who are
enough to put them in... (to be fair, some of the fraudsters sites do appear, on cursory examination, very realistic facsimiles of the genuine sites.)
This bug could, of course, be exploited by any potential scammer to subvert the connections of the unwary.
At present there is no fix from Microsoft. The only available workaround is not to use IE...
"Lets be careful out there..."
There is a a bug in the way that Internet Explorer displays URLs in the address bar.
By opening a specially crafted URL an attacker can open a page that appears to be from a different domain from the current location.
By opening a window using the http://user@domain nomenclature an attacker can hide
the real location of the page by including a 0x01 character after the "@" character.
Internet Explorer doesn't display the rest of the URL making the page appear to be at a different domain.
A benign demonstration can be found at http://www.zapthedingbat.com/security/ex01/vun1.htm
This is particularly relevant (to UK viewers, at least) as there has been a spate of scam emails recently, trying to persuade victims to "log on" to the websites of well-known high street banks, because the user purportedly needs to update/reactivate/other bogus excuse their account. The user is then covertly redirected to the fraudsters site, who promptly harvests the bank details of those who are
enough to put them in... (to be fair, some of the fraudsters sites do appear, on cursory examination, very realistic facsimiles of the genuine sites.)This bug could, of course, be exploited by any potential scammer to subvert the connections of the unwary.
At present there is no fix from Microsoft. The only available workaround is not to use IE...
"Lets be careful out there..."
Official PPRuNe Chaplain
Joined: Apr 2001
Posts: 3,498
Likes: 0
From: Witnesham, Suffolk
There's a variant of that scam that works with any browser - I've had three in the past two days and was curious enough to download them out of my spamcop filterbox to have a looksee.
They worked with both IE and Mozilla.
They display the correct" address for NatWest and for Lloyds TSB online banking. When the link is clicked on, they use a line of "delete" characters, then insert their own URL. Mozilla shows this happening, so it's quite clear summat's up.
They then "pass through" to the genuine Bank site, but feed a "dummy" page in the relevant place that asks for your full PIN and security password (rather than a few characters from each).
It appears to be "real time", because feeding the thing spurious info then brings up (after some delay) the Bank's "error message". I didn't try with my "real" details to see what woujld happen then...
I've reported both to the relevant Bank security departments, complete with the offending e-mail. One linked to a site in California, the other to an open relay in a University in Japan.
They worked with both IE and Mozilla.
They display the correct" address for NatWest and for Lloyds TSB online banking. When the link is clicked on, they use a line of "delete" characters, then insert their own URL. Mozilla shows this happening, so it's quite clear summat's up.
They then "pass through" to the genuine Bank site, but feed a "dummy" page in the relevant place that asks for your full PIN and security password (rather than a few characters from each).
It appears to be "real time", because feeding the thing spurious info then brings up (after some delay) the Bank's "error message". I didn't try with my "real" details to see what woujld happen then...
I've reported both to the relevant Bank security departments, complete with the offending e-mail. One linked to a site in California, the other to an open relay in a University in Japan.
