Forgot your password?
typodupeerror

New Phishing Flaw in Internet Explorer 274

Posted by Zonk
from the another-week-a-new-vulnerability dept.
JimmyM writes "Secunia reports on a new vulnerability in Internet Explorer. From the piece: 'This can be exploited to spoof the address bar in a browser window showing web content from a malicious web site.' According to several (german) media outlets this is already being exploited by phishing sites. Secunia has a test you can try to see if you are vulnerable."
This discussion has been archived. No new comments can be posted.

New Phishing Flaw in Internet Explorer

Comments Filter:
  • Why?? (Score:2, Insightful)

    by liliafan (454080) *
    I know IE is supposed to still be the most popular web browser there is, but my site shows firefox is in much higher use (roughly 96%). But I guess that since over 97% of hits to my site have been from slashdot that isn't so unusual, I was suprised to see that 98% of visitors used windows.

    Why are people still using IE, even the most uneducated users must have heard of alternative browsers by now. I am not specifically advocating any particular browser, I use firefox, but I have heard great reports about o
    • Re:Why?? (Score:5, Insightful)

      by LunaticTippy (872397) on Thursday April 06, 2006 @02:12PM (#15078180)
      I'll tell you why.

      It's the default browser.

      I make it a point to install firefox and remove all shortcuts to IE on any machine I have to fix, except for at work, where we have a couple of IE-only apps. (don't ask)

      The average (I don't want to say idiot) user simply doesn't think or know about other browsers. We need to remember that the typical user doesn't live in "our" world.

      • I understand lack of user education but surely there is no one that hasn't at least heard of firefox by now, I mean if you have been on the web for more than a week you must have at least seen a link, there is news almost weekly on new IE vulnerabilities, when will the average user become educated and what more can us geeks do to push this?
        • Re:Why?? (Score:5, Insightful)

          by LunaticTippy (872397) on Thursday April 06, 2006 @02:27PM (#15078333)
          I try to think of my mother as a typical user. She can just barely get around on a computer. I (and many of her friends and relatives) try to educate as best as we can, but it is slow. She still sends out chain letters, including the shergold one. She needed me to help her install flash to see a stupid website. I told her she could print out documents at kinko's and she showed up there with her files at home.

          Things have improved over the years. There are many competent users now. But we can't get complacent. People bring their computers to work for me to fix. It's the same thing every time. These are typical users.

          • Re:Why?? (Score:3, Interesting)

            by walt-sjc (145127)
            My father-in-law is another just like that. Imagine a guy that worked for 20 years at Digital (sales) and loses his 3-pane view in OE. Needs help getting it back. Said his speakers didn't work, found they were plugged into the mic jack. The guy is 70, so it's somewhat understandable, but it's amazing how many 30 year olds are like that too.

            My help-desk employees never fail to inform me of the latest escapades from the "famous five" users that just can't seem to grasp the basics and cause 70% of all the help
        • Re:Why?? (Score:2, Insightful)

          by Cruian (947046)
          Some people are used to Internet Explorer and its behavior. They can't get used to Firefox or similar browsers. I have tried to teach a few people to use Firefox, but they need the same lesson every time they sit down in front of it. Most of the alternate browsers have tabs, which seems to be the main cause for confusion that I have seen. Are there any alternate browsers that by default don't use tabs? I know you can get similar behavior with Firefox and probably others, but it is annoying to change pr
      • I would suggest This Firefox Plugin [mozilla.org]. Works like a dream - you can with a right click open any currently open tab in a new tab, rendered with IE instead of FireFox. You can also set specific websites (update.microsoft.com, etc) to automitically open with IE instead of FireFox. Best part for a web developer - they each have seperate caches, so I can have multiple logins to the same sites for testing purposes :)
        • I've been thinking about using that, it'd sure be nicer than opening IE. I use the seperate cache feature now, but having it in a tab would be handy.

          Have you noticed any compatibility issues? I'm assuming it either has all the security holes IE does, or lacks full compatability.

    • Re:Why?? (Score:4, Insightful)

      by ZachPruckowski (918562) <zachary.pruckowski@gmail.com> on Thursday April 06, 2006 @02:20PM (#15078249)
      People keep IE because of two factors:

      1) A lot of users only know how IE does things. It could be scary to have to deal with a different layout, or a different set of commands, or a different method of bookmarking or whatever.

      2) They don't want to take the time. It takes like 10 minutes to download Firefox, then time to install, and then they have to set it as the default browser, and change shortcuts, and then get all their bookmarks and passwords and everything into Firefox, so it is honestly not a 3 minute process, more like 30 minutes, and more if you take into account getting the right extensions, like ad-block and flashblock and noscript

      Fundamentally, the problem is that most users don't see computers as something to configure, they see it as a tool to use. They don't bother with the "Top 10 list for making Windows faster" because it requires registry edits or going deep into the preferences or something. They're not dumb, it's just that computers aren't their field, and they don't like the idea of spending an hour changing something.
      • Re:Why?? (Score:5, Insightful)

        by ThinkFr33ly (902481) on Thursday April 06, 2006 @02:24PM (#15078293)
        You're missing the biggest factor.

        Most people just don't care what browsering they're using. They just want to check their e-mail and go to myspace. It's as simple as that.

        Many of the don't even know what a "browser" is. They call it "The Internet".

        That's why people don't switch to Firefox.
        • The original poster claimed that people knew the difference between IE and Firefox. I gave him that assumption, which you are correct in disputing. I just like to argue on the grounds of "even if you're right, I still win" as a strategy. So even if everyone knows what FF is, my point still stands.
        • Re:Why?? (Score:3, Funny)

          by Xerp (768138)
          I often download the internet and put it onto someones hard disk for them.

          I still have people calling their computer the "hard disk". People who know nothing are still trying to sound vaguely competant by saying "my hard disk is broken". Of course, saying this to someone with 1 point more tech-savvy than then just ends up confusing the poor person... as they actually believe the person.

          So. Whats the easiest way to get these technophobes to switch to firefox? Lets see... make it as a flashy banner ad, spywar
        • Re:Why?? (Score:3, Insightful)

          by sl4shd0rk (755837)
          Most people just don't care what browsering they're using.

          Actually, what I've found is that taking the time to explain to people what spyware is, how the popups get there, why they have 1300 infections, and that there is something they *can* do to minimize their risk, they are all for the idea.

          The do not tend to respond well to: "Ditch that windows IE bullshit retard. go get firefox. what's your fucking problem?".

      • OK, so I spend 30 minutes downloading/installing/configuring.

        I've just saved myself AT LEAST 5 or 6 hours of fucking around google trying to find ways to get rid of some piece of spyware.

        Come on. Who DOESN'T have time to install Firefox?

        • People don't think that way. Yes, an ounce of prevention is worth a pound of cure, but most people put off fixing things like that. Just like "One of these days I'll paint the kitchen", or the inevitable promise to eventually "clean out the garage", people might eventually plan on "figuring out that darn computer thing better", but as everyone knows, first there's the game on, then they have gardening to do, or walking the dog, or anything other than doing that, always promising to do it next week. Sort
    • Corporate Policy (Score:4, Informative)

      by Valdrax (32670) on Thursday April 06, 2006 @02:22PM (#15078277)
      I have to use Explorer at work. A defect tracking system and a time tracking system at work both refuse connections from anything that doesn't identify itself as Explorer, and one of them (I can't remember which) doesn't work if you set up Firefox to pretend to be Explorer.

      So, I use Avant -- a wrapper around Explorer that gives multiple tabs and can block ads & pop-ups. It seem invulnerable to this bug, incidentally. Supposedly Netscape 7 can use Explorer for certain websites and the Mozilla rendering engine for others, but I couldn't figure out how to get to work exactly how I wanted, so I punted. I've been pretty happy with Avant since then, but I prefer Firefox for home.
    • Why are people still using IE

      Because their network admin doesn't have the time to figure out how to roll out a working install of Firefox (fully configured, and with all the desired plugins and extensions).

      I know. I did install FF on around 20 machines, and it wasn't easy to find a semi-automatic way to install. And it got worse when the 1.5 upgrade came: I eventually did go to all the 20 machines, and did the upgrade manually.

      Firefox is great for individual users (and even then, some find the stupid "brows [alma.ch]
  • by stunt_penguin (906223) on Thursday April 06, 2006 @02:10PM (#15078164)
    1. Look up in top left hand corner of browser.
    2. If icon is a blue 'e' then you're vulnerable.

    That is all.

    /ms troll
    • Not even the beta IE 7 i have is working right, thank god firefox tested good, otherwise i might have to switch to lynx!!!
    • Umm... (Score:3, Funny)

      by atrader42 (687933)
      When I run IE, the icon in the top left is an arrow pointing left...does that mean I'm ok and Paypal really does need me to confirm my account details several times a day?
  • Bug fixed in IE7b2 (Score:4, Informative)

    by LocalH (28506) on Thursday April 06, 2006 @02:12PM (#15078177) Homepage
    I just tested it in IE7b2 and got the correct results, showing the Secunia URL and not Google's.
    • by Krach42 (227798)
      I just checked in IE6, and I thought that the bug was gone, but it just turns out that if you don't stay in the window, it doesn't work. If the window loses focus, then the test will fail, even inside a vulnerable IE window.

      I retested keeping focus in the window, and confirmed the bug.
      • by LocalH (28506)
        I stand corrected - I just did the same as you and found the vulnerability is present.
      • I tried with IE6 and I didn't experience the bug. When I hovered over the test link IE identified it as javascript:StartTest(); and when I clicked on it nothing happened.

        Of course, that is because I have javascript disabled for the Internet Zone. Amazing how many attacks that renders ineffective. (And also amazing how many websites use javascript for silly things like selecting the next page).
        • by walt-sjc (145127)
          The NoScript FF plugin allows selective use of javascript without messing with "security zones." Quite nice actually. Default deny, and partially allow as needed.
      • then the test will fail, even inside a vulnerable IE window

        I found that you need to run IE at the Administrator level for the test to show the vulnerability. I generally use DropMyRights when running IE (the only browser permitted here at work), and the vulnerability didn't show up until I ran IE at Administrator level.

    • by NeoThermic (732100) on Thursday April 06, 2006 @03:28PM (#15078920) Homepage Journal
      You can also fix this in IE6. Go to Tools -> Options, click the security tab, then click on 'Custom Level'

      Scroll down until you find 'Navigate sub-frames across diffrent domains'; set it to prompt or disable.

      The test fails if you set it to disable, and it will ask you if its allowed (to exploit you) if you set it to prompt.

      NeoThermic
  • Is this a bug in XP or something?
  • by paulproteus (112149) <[gro.hseehsa] [ta] [todhsals]> on Thursday April 06, 2006 @02:14PM (#15078194) Homepage
    I tested this attack in Internet Explorer 6 on Ubuntu 5.10 running the current Wine deb from winehq.
    • That's cute.
    • Heh. Same here, using the (k)Ubuntu current deb. The exploit works fine. It doesn't in Konqueror, for what it's worth.

      I kind of which there was a way to change the location bar within the domain -- or at least give a dynamic "bookmark" url. That way AJAX and framed content could change the url based on what was being displayed so that the user could bookmark and come back to something inside the site.

      --
      Evan

    • I just tried IE6 on win xp 64, the 32 bit version was vunerable the 64 bit version of IE was not.
  • by eno2001 (527078) on Thursday April 06, 2006 @02:15PM (#15078210) Homepage Journal
    Warning. Your Slashdot login information may have been compromised by a sly fox. To ensure greater security please reply to this comment with your current UID and password and the new password you want. I'll be sure to forward it off to CmdrTaco as soon as I see a response.

    Thanks,
    Internet Security Sheriff
  • Used the test, doesn't work for me. I see the proper URL.

    Haven't patched in a month or so.

    So... if this flaw exists, it's a fairly old version that has it.
  • by joe 155 (937621) on Thursday April 06, 2006 @02:21PM (#15078258) Journal
    ...phishing is still going to be a serious problem... although the bar is important for users it shouldn't be the only source that they look for to see if a site is authentic, it should be based on all the factors which can give some inclination that the site is either legitimate or not and we need to create a culture where people look with caution on websites. See the register article on this topic with an interesting article on how people deal with these website http://www.theregister.co.uk/2006/03/31/phishing_s tudy/ [theregister.co.uk]... worryingly the amount of time spent on a computer doesn't seem to have any effect on how much at risk people are.

    this should also serve as a reminder that people who get fooled with this aren't just stupid fools who don't know what a computer is.
    • I agree. My default behavior with any browser, Firefox or IE, is to never visit important sites (anything financial related) on a click-through. That's what the address bar at the top is for. I swear Firefox users are as smug as OSX users. One day, one new vulnerability is going to tear one as wide as the Goat.se.
  • Ga! (Score:5, Funny)

    by MightyMartian (840721) on Thursday April 06, 2006 @02:24PM (#15078295) Journal
    New Phishing Flaw in Internet Explorer

    I'm shocked, I tell you, I'm shocked!

  • Tried it on XP using IE 6.0.2900.2180.xpsp_sp2_gdr.050301-1519. (Update versions SP2, 3283) and it showed the correct URL.

    My XP machine is fully patched.

    Did somebody jump the gun over at Secunia?
    • That's interesting because I'm running 6.0.2900.2180.xpsp_sp2_gdr.050301-1519CO (don't know what the deal is with the CO on the end there, I just typed out what it says in the about box) and I found that I was vulnerable. Supposedly my XP machine is fully patched as well (Work PC with forced daily patch roll-outs via IT).
      br. FWIW, this post is coming from the Firefox browser. I still have to run IE for all the crappy Peoplesoft and SAP applications that depend on it.
    • I tried it first, and it failed, then I tried it again, and it worked. Turns out if you don't keep focus in the window, the flaw doesn't happen.

      Just for your info, I'm using:

      IE Version 6.0.2900.2180.xpsp_sp2_gdr.060220-1746

      and my Windows XP is fully patched.

      So it's probably a related issue, or something else, but your browser is definitely just as vulnerable to the flaw as mine.
    • That's odd. It works on my version of IE (6.0.2900.2180.xpsp_sp2_rtm.040803-2158). I'm not too far off on the service packs but, I've been slack lately.

      It looks likely there is a fix in a service pack between your version and mine.
    • Interesting. *I* just tried it on XP using IE 6.0.2900.2180.xpsp_sp2_gdr.050301-1519, and it showed the incorrect URL, as predicted by Secunia.

      My XP machine is also fully patched.
  • ...surprisingly.

    One nice thing about Mozilla is that you can easily disseminate who is or is not vulnerable based upon a simple to understand version number. Not so with IE.
    • One nice thing about Mozilla is that you can easily disseminate who is or is not vulnerable based upon a simple to understand version number.

      As long as the vulnerability is always present, not triggered by individual extensions. And except for all the people using nightlies, and unofficial builds. And for flaws in Gecko, you have a different "simple" version number for every single Gecko browser - Firefox, Seamonkey, Galeon, Camino, and all the others that I've forgotten.

      Sorry, but while Mozilla et al. ha
  • Which Version? (Score:4, Interesting)

    by kid-noodle (669957) <{jono} {at} {nanosheep.net}> on Thursday April 06, 2006 @02:27PM (#15078338) Homepage
    Judging from my own quick go on the test as well as the /. comments, the advisory that this affects 6.x versions is wrong. It would be more useful if there was information on which 6.x versions it affects - is this an issue intoduced in a recent patch, or is it pre-whatever versions only? (And an undetermined number of IE7 versions)

    Is this related to the flash player version?

    More data needed!
    • If, like me, you ran a quick check with IE and flicked away to look at something else.. It didn't work.

      The window must remain in focus for the spoof to suceed - at least in my version of IE.
    • the advisory that this affects 6.x versions is wrong

      Version 6.0.2900.2180.xpsp_sp2_gdr.050301-1519 here (so yes, XP SP2), and the exploit works just fine. It might depend on your security settings, which I didn't really bother to check in IE because I never use it anyway. Maybe you disabled any kind of scripting or have installed 3rd party popup-blockers or anything else that might change the default behaviour?
    • just tested and the hole exists in IE7 beta 2
  • What? (Score:4, Funny)

    by snib (911978) <admin@snibworks.com> on Thursday April 06, 2006 @02:43PM (#15078484) Homepage
    This doesn't work in Firefox. I hate it when people only design their pages for IE!!
  • by m50d (797211) on Thursday April 06, 2006 @02:44PM (#15078493) Homepage Journal
    I tried to open the test page in Konqueror and it crashed. I wish I was joking :(
  • If you've got the Netcraft Toolbar installed in IE, it isn't fooled. In the test, even though the address line reads "www.google.com", the toolbat correctly identified the content as coming from Secunia.

    Disclaimer: I am not a Netcraft employee, just a satified customer.
  • by chill (34294) on Thursday April 06, 2006 @02:49PM (#15078527) Journal
    The concept is simple. See the button bar (tab bar on Firefox) up top? Now look down -- see the Status bar down below? In between there is the screen real estate that content should be allowed to touch. Under no circumstances should anything outside of that area be touchable by the browser or any task/thread/job spawned by the browser. Period. The URL bar, button bar, toolbar, and statusbar should be inviolate. Javascript (or ANY script) should be unable to display text in the status bar, thus making it impossible to lie about link location.

    Extensions, which are installed explicitly thru a separate procedure, would be the only way to put something in the status bar.

    Change the little lock symbol to take up more room in the status bar. Make it list the URL the certificate is issued to next to the lock. If that doesn't match the URL you're on, change the URL bar background to ORANGE (not yellow) and make the lock flash or something. Yes, I know, you clicked "accept this certificate" but it is still a hacked-up cert and needs some cursory attention.

    * * *

    For those twits that are going to whine "but I don't use the status bar" or "I've rearranged my button/menu/tool bar up top so it isn't that way" this is a trivial issue to work around. This was just a quick way to describe the working screen area for most people.
    • I agree wholeheartedly. Other things that shouldn't be possible: specifying a window as never having scrollbars, specifying a window as non-resizeable, or changing the behavior of a right-click to anything other than causing the context menu to appear.

    • Agreed 100%. So, why is it so hard to keep this from happening? I'd be fine installing flash and shockwave with an external application. I'd be fine having to download anything to my HardDisk, scan it, and then be able to open it (movies, photos, executable).

      I would append, under no circumstance may internet content instruct my browser to be a certain size, take away from any functionality of either the mouse or shortcuts... a true sandbox.

  • SSL and phishing (Score:3, Informative)

    by internic (453511) on Thursday April 06, 2006 @03:02PM (#15078660)

    If people would pay attention to whether the connection is a secure SSL connection, wouldn't that alleviate most of the problem? As I understand it the browser would show "secure" if the site has a valid SSL cert signed by one of the root certification authorities installed in your browser that was registered to the domain of the site you were looking at. I suppose it's possible that a phisher could get a valid SSL cert for their phishing domain, but isn't that pretty unlikely?

    Of course, training people to pay attention to whether it's an secure connection before giving important private information is a different issue, but it seems like you might be able to make some progress through education and adding features to the browser to make it a bit more obvious. You could make the secure icon more obvious, and you might even be able to get more clever and guess which pages are bank pages and ask "are you sure" when people try to send info unencrypted to those pages.

    Meanwhile, my bank and some of my credit cards have a login prompt on the front page that is not https. Sure, it starts an SSL connection after you hit login, but, at that point, if you've been spoofed it would already be too late.

  • If you for some reason HAVE to use Internet Explorer, at the very least you should be using Deepnet Explorer [deepnetexplorer.com], with the anti-phishing (and anti-everything-else) turned on. If you don't know that by now, please sell your computer before you hurt somebody.
  • Good Grief (Score:4, Funny)

    by rAiNsT0rm (877553) on Thursday April 06, 2006 @03:21PM (#15078863) Homepage
    The other day I sent out an email to everyone in our company warning them of a new phishing scheme with a copy of the email attached. Within 10 minutes I had not one, but TWO replies to me with people's account/password info.

    So not only did they miss the entire message, they also couldn't even give their information to the right person. I wanted to just cry... I honestly think phishers deserve some peoples information.
  • by Patman (32745) <pmgeahan-slashdot.thepatcave@org> on Thursday April 06, 2006 @03:37PM (#15079015) Homepage
    Note that this exploit also works if you're using the IE Tab add-on for Firefox. I know that IE Tab basically runs IE in a Firefox window; but, I was surprised that the address bar was corruptible.
  • moderate risk? (Score:2, Interesting)

    by goldfita (953969)
    The article said this is a moderate security risk. This is bad. At first they were asking for private information in e-mail. Then they were coping web sites and linking to them. I've already had to train myself to be wary of e-mail. Now I've started looking at URLs. But if they can fake the URL too, how in the world is anyone supposed to know which sites are authentic?

    The spam is bad enough, but I'm frequently clicking the 'report phishing' link these days. You only have to make a mistake once.
    • Re:moderate risk? (Score:3, Interesting)

      by fdiskne1 (219834)

      But if they can fake the URL too, how in the world is anyone supposed to know which sites are authentic?

      Simple. If it comes to you in an email or in any way other than you typing the URL in the address bar, it's fake. Granted, DNS poisoning can still take advantage, but that's not the browser's fault. At least this is the way I treat any email requesting me to log on somewhere. I saw an email one of our users received that looked like a phishing email in that it asked them to click a link to login and vi

  • by dpbsmith (263124) on Thursday April 06, 2006 @03:56PM (#15079182) Homepage
    when in an internal memo, Bill Gates said [com.com] "We must lead the industry to a whole new level of Trustworthiness in computing."

    Remind me, again... how many major OS releases and services packs and IE versions have been released since then?
  • Boot Camp (Score:3, Funny)

    by AragornSonOfArathorn (454526) on Thursday April 06, 2006 @03:58PM (#15079195)
    I'm running IE on my new MacBook via Boot Camp. But since Macs don't get viruses, I'm safe, right?
  • Just copy and paste this into your comment!

    >>>Linux good, Microsoft bad!
  • Seems like it uses a popup, which is blocked by MSIE by default. Makes me feel a little better about not having send yet another alert down the chain.

If you do something right once, someone will ask you to do it again.

Working...