New Phishing Flaw in Internet Explorer

JimmyM writes "Secunia reports on a new vulnerability in Internet Explorer. From the piece: 'This can be exploited to spoof the address bar in a browser window showing web content from a malicious web site.' According to several (german) media outlets this is already being exploited by phishing sites. Secunia has a test you can try to see if you are vulnerable."

Why??

[liliafan]

I know IE is supposed to still be the most popular web browser there is, but my site shows firefox is in much higher use (roughly 96%). But I guess that since over 97% of hits to my site have been from slashdot that isn't so unusual, I was suprised to see that 98% of visitors used windows.

Why are people still using IE, even the most uneducated users must have heard of alternative browsers by now. I am not specifically advocating any particular browser, I use firefox, but I have heard great reports about opera. Geez these days I would use lynx over IE (and quite often do). We hear about new vulnerabilities in IE all the time IE users get a clue.

Re:Why??

[LunaticTippy]

I'll tell you why.

It's the default browser.

I make it a point to install firefox and remove all shortcuts to IE on any machine I have to fix, except for at work, where we have a couple of IE-only apps. (don't ask)

The average (I don't want to say idiot) user simply doesn't think or know about other browsers. We need to remember that the typical user doesn't live in "our" world.

Re:Why??

[ZachPruckowski]

People keep IE because of two factors:

1) A lot of users only know how IE does things. It could be scary to have to deal with a different layout, or a different set of commands, or a different method of bookmarking or whatever.

2) They don't want to take the time. It takes like 10 minutes to download Firefox, then time to install, and then they have to set it as the default browser, and change shortcuts, and then get all their bookmarks and passwords and everything into Firefox, so it is honestly not a 3 minute process, more like 30 minutes, and more if you take into account getting the right extensions, like ad-block and flashblock and noscript

Fundamentally, the problem is that most users don't see computers as something to configure, they see it as a tool to use. They don't bother with the "Top 10 list for making Windows faster" because it requires registry edits or going deep into the preferences or something. They're not dumb, it's just that computers aren't their field, and they don't like the idea of spending an hour changing something.

Re:Why??

[ThinkFr33ly]

You're missing the biggest factor.

Most people just don't care what browsering they're using. They just want to check their e-mail and go to myspace. It's as simple as that.

Many of the don't even know what a "browser" is. They call it "The Internet".

That's why people don't switch to Firefox.

Re:Why??

[LunaticTippy]

I try to think of my mother as a typical user. She can just barely get around on a computer. I (and many of her friends and relatives) try to educate as best as we can, but it is slow. She still sends out chain letters, including the shergold one. She needed me to help her install flash to see a stupid website. I told her she could print out documents at kinko's and she showed up there with her files at home.

Things have improved over the years. There are many competent users now. But we can't get complacent. People bring their computers to work for me to fix. It's the same thing every time. These are typical users.

Re:Why??

[Cruian]

Some people are used to Internet Explorer and its behavior. They can't get used to Firefox or similar browsers. I have tried to teach a few people to use Firefox, but they need the same lesson every time they sit down in front of it. Most of the alternate browsers have tabs, which seems to be the main cause for confusion that I have seen. Are there any alternate browsers that by default don't use tabs? I know you can get similar behavior with Firefox and probably others, but it is annoying to change preferences for just 10 minutes. We could try to give more in depth lessons on alternate browsers, and their benefits. Also, an index card with any differences from IE may prevent repeated lessons.

Re:The following versions are affected:

[Mostly a lurker]

As I understand it, there is a timing component to the flaw and I could imagine you not being vulnerable if the SWF file is too small or you have an extremely fast Internet connection.

Fundamental Browser Issue

[chill]

The concept is simple. See the button bar (tab bar on Firefox) up top? Now look down -- see the Status bar down below? In between there is the screen real estate that content should be allowed to touch. Under no circumstances should anything outside of that area be touchable by the browser or any task/thread/job spawned by the browser. Period. The URL bar, button bar, toolbar, and statusbar should be inviolate. Javascript (or ANY script) should be unable to display text in the status bar, thus making it impossible to lie about link location.

Extensions, which are installed explicitly thru a separate procedure, would be the only way to put something in the status bar.

Change the little lock symbol to take up more room in the status bar. Make it list the URL the certificate is issued to next to the lock. If that doesn't match the URL you're on, change the URL bar background to ORANGE (not yellow) and make the lock flash or something. Yes, I know, you clicked "accept this certificate" but it is still a hacked-up cert and needs some cursory attention.

* * *

For those twits that are going to whine "but I don't use the status bar" or "I've rearranged my button/menu/tool bar up top so it isn't that way" this is a trivial issue to work around. This was just a quick way to describe the working screen area for most people.

Re:Bug fixed in IE7b2

[LocalH]

I stand corrected - I just did the same as you and found the vulnerability is present.

Re:Here you go

[rAiNsT0rm]

hehehe, awesome. The sad part is that phishers do all this elaborate bullshit to fake their requests, when I guarantee a plain text email asking nicely for info would net them just as many results.

Re:Why??

[Anonymous Coward]

"Many of the don't even know what a "browser" is. They call it "The Internet"."

Word

Re:Yeah, it's a 30 minute process

[ZachPruckowski]

People don't think that way. Yes, an ounce of prevention is worth a pound of cure, but most people put off fixing things like that. Just like "One of these days I'll paint the kitchen", or the inevitable promise to eventually "clean out the garage", people might eventually plan on "figuring out that darn computer thing better", but as everyone knows, first there's the game on, then they have gardening to do, or walking the dog, or anything other than doing that, always promising to do it next week. Sort of like me and this paper due in an hour...

Re:Why??

[sl4shd0rk]

Most people just don't care what browsering they're using.

Actually, what I've found is that taking the time to explain to people what spyware is, how the popups get there, why they have 1300 infections, and that there is something they *can* do to minimize their risk, they are all for the idea.

The do not tend to respond well to: "Ditch that windows IE bullshit retard. go get firefox. what's your fucking problem?".