New Phishing Flaw in Internet Explorer 274
JimmyM writes "Secunia reports on a new vulnerability in Internet Explorer. From the piece: 'This can be exploited to spoof the address bar in a browser window showing web content from a malicious web site.' According to several (german) media outlets this is already being exploited by phishing sites. Secunia has a test you can try to see if you are vulnerable."
Why?? (Score:2, Insightful)
Why are people still using IE, even the most uneducated users must have heard of alternative browsers by now. I am not specifically advocating any particular browser, I use firefox, but I have heard great reports about o
Re:Why?? (Score:5, Insightful)
It's the default browser.
I make it a point to install firefox and remove all shortcuts to IE on any machine I have to fix, except for at work, where we have a couple of IE-only apps. (don't ask)
The average (I don't want to say idiot) user simply doesn't think or know about other browsers. We need to remember that the typical user doesn't live in "our" world.
Re:Why?? (Score:2)
Re:Why?? (Score:5, Insightful)
Things have improved over the years. There are many competent users now. But we can't get complacent. People bring their computers to work for me to fix. It's the same thing every time. These are typical users.
Re:Why?? (Score:3, Interesting)
My help-desk employees never fail to inform me of the latest escapades from the "famous five" users that just can't seem to grasp the basics and cause 70% of all the help
ff tabs (Score:2)
Re:Why?? (Score:2, Insightful)
Re:Why?? (Score:2)
Re:Why?? (Score:3, Interesting)
Despite having spent more than a decade and a half on systems, even starting out before mice were even conceived of, he is not a completely mouse oriented person who doesn't
Re:Why?? -- for IE only apps.... (Score:2, Informative)
Re:Why?? -- for IE only apps.... (Score:2)
Have you noticed any compatibility issues? I'm assuming it either has all the security holes IE does, or lacks full compatability.
Re:Why?? (Score:4, Insightful)
1) A lot of users only know how IE does things. It could be scary to have to deal with a different layout, or a different set of commands, or a different method of bookmarking or whatever.
2) They don't want to take the time. It takes like 10 minutes to download Firefox, then time to install, and then they have to set it as the default browser, and change shortcuts, and then get all their bookmarks and passwords and everything into Firefox, so it is honestly not a 3 minute process, more like 30 minutes, and more if you take into account getting the right extensions, like ad-block and flashblock and noscript
Fundamentally, the problem is that most users don't see computers as something to configure, they see it as a tool to use. They don't bother with the "Top 10 list for making Windows faster" because it requires registry edits or going deep into the preferences or something. They're not dumb, it's just that computers aren't their field, and they don't like the idea of spending an hour changing something.
Re:Why?? (Score:5, Insightful)
Most people just don't care what browsering they're using. They just want to check their e-mail and go to myspace. It's as simple as that.
Many of the don't even know what a "browser" is. They call it "The Internet".
That's why people don't switch to Firefox.
Re:Why?? (Score:2)
Re:Why?? (Score:2)
Re:Why?? (Score:3, Funny)
I still have people calling their computer the "hard disk". People who know nothing are still trying to sound vaguely competant by saying "my hard disk is broken". Of course, saying this to someone with 1 point more tech-savvy than then just ends up confusing the poor person... as they actually believe the person.
So. Whats the easiest way to get these technophobes to switch to firefox? Lets see... make it as a flashy banner ad, spywar
Re:Why?? (Score:3, Insightful)
Actually, what I've found is that taking the time to explain to people what spyware is, how the popups get there, why they have 1300 infections, and that there is something they *can* do to minimize their risk, they are all for the idea.
The do not tend to respond well to: "Ditch that windows IE bullshit retard. go get firefox. what's your fucking problem?".
Yeah, it's a 30 minute process (Score:2)
I've just saved myself AT LEAST 5 or 6 hours of fucking around google trying to find ways to get rid of some piece of spyware.
Come on. Who DOESN'T have time to install Firefox?
Re:Yeah, it's a 30 minute process (Score:3, Insightful)
Corporate Policy (Score:4, Informative)
So, I use Avant -- a wrapper around Explorer that gives multiple tabs and can block ads & pop-ups. It seem invulnerable to this bug, incidentally. Supposedly Netscape 7 can use Explorer for certain websites and the Mozilla rendering engine for others, but I couldn't figure out how to get to work exactly how I wanted, so I punted. I've been pretty happy with Avant since then, but I prefer Firefox for home.
Re:Corporate Policy (Score:2)
Re:Because... (Score:2)
Because their network admin doesn't have the time to figure out how to roll out a working install of Firefox (fully configured, and with all the desired plugins and extensions).
I know. I did install FF on around 20 machines, and it wasn't easy to find a semi-automatic way to install. And it got worse when the 1.5 upgrade came: I eventually did go to all the 20 machines, and did the upgrade manually.
Firefox is great for individual users (and even then, some find the stupid "brows [alma.ch]
Re:Why?? (Score:2)
Re:Why?? (Score:2)
c'est la vie
Re:Why?? (Score:2)
"Welcome to the web....to enter please answer the following multiple choice question correctly, if you get the answer right you will be allowed to connect, if you answer incorrectly we will use your unpatched version of IE to executed arbitary code on your machine causing your modem to be destroyed"
Test I can try? (Score:5, Funny)
2. If icon is a blue 'e' then you're vulnerable.
That is all.
Re:Test I can try? (Score:2, Funny)
Re:Test I can try? (Score:2)
IE 6 (XPSP2) flashed Google, then loaded the Secunia page. Again, URLs remained correct...
Umm... (Score:3, Funny)
Re:Umm... (Score:2)
Re:Umm... (Score:2)
Bug fixed in IE7b2 (Score:4, Informative)
Re:Bug fixed in IE7b2 (Score:3, Informative)
I retested keeping focus in the window, and confirmed the bug.
Re:Bug fixed in IE7b2 (Score:3, Insightful)
Re:Bug fixed in IE7b2 (Score:2)
Of course, that is because I have javascript disabled for the Internet Zone. Amazing how many attacks that renders ineffective. (And also amazing how many websites use javascript for silly things like selecting the next page).
Re:Bug fixed in IE7b2 (Score:3, Informative)
Re:Bug fixed in IE7b2 (Score:2)
I found that you need to run IE at the Administrator level for the test to show the vulnerability. I generally use DropMyRights when running IE (the only browser permitted here at work), and the vulnerability didn't show up until I ran IE at Administrator level.
Re:Bug fixed in IE7b2 (Score:4, Informative)
Scroll down until you find 'Navigate sub-frames across diffrent domains'; set it to prompt or disable.
The test fails if you set it to disable, and it will ask you if its allowed (to exploit you) if you set it to prompt.
NeoThermic
Does not work on IE 6.0.2800.1106 on Win2K (Score:2)
Re:Does not work on IE 6.0.2800.1106 on Win2K (Score:2)
Re:Does not work on IE 6.0.2800.1106 on Win2K (Score:2)
Yes, it does: IE 6.0.2800.1106 on Win2K (Score:2)
It works on mine, and it's apparently the same version. IE 6.0.2800.1106 and Win2k. Since it's using Flash, it may be dependent on which Flash player version is installed.
Does work on IE 6.0.2800.1106 on Win2K (Score:2)
Confirmed vulnerable (Score:3, Funny)
Re:Confirmed vulnerable (Score:2)
Re:Confirmed vulnerable (Score:2)
I kind of which there was a way to change the location bar within the domain -- or at least give a dynamic "bookmark" url. That way AJAX and framed content could change the url based on what was being displayed so that the user could bookmark and come back to something inside the site.
--
Evan
Re:Confirmed vulnerable (Score:2)
Your Slashdot Login Information (Score:3, Funny)
Thanks,
Internet Security Sheriff
Re:Your Slashdot Login Information (Score:2)
Password: ********
Re:Your Slashdot Login Information (Score:2)
Yeah, New Flaw in OLD VERSION maybe (Score:2)
Haven't patched in a month or so.
So... if this flaw exists, it's a fairly old version that has it.
even when this gets fixed.... (Score:3, Informative)
this should also serve as a reminder that people who get fooled with this aren't just stupid fools who don't know what a computer is.
Re:even when this gets fixed.... (Score:2)
Ga! (Score:5, Funny)
I'm shocked, I tell you, I'm shocked!
Re:Ga! (Score:3, Funny)
Doesn't work on IE 6.0.2900.2180.xpsp_sp2_gdr... (Score:2)
My XP machine is fully patched.
Did somebody jump the gun over at Secunia?
Re:Doesn't work on IE 6.0.2900.2180.xpsp_sp2_gdr.. (Score:2)
br. FWIW, this post is coming from the Firefox browser. I still have to run IE for all the crappy Peoplesoft and SAP applications that depend on it.
Re:Doesn't work on IE 6.0.2900.2180.xpsp_sp2_gdr.. (Score:3, Informative)
Just for your info, I'm using:
IE Version 6.0.2900.2180.xpsp_sp2_gdr.060220-1746
and my Windows XP is fully patched.
So it's probably a related issue, or something else, but your browser is definitely just as vulnerable to the flaw as mine.
Re:Doesn't work on IE 6.0.2900.2180.xpsp_sp2_gdr.. (Score:2)
It looks likely there is a fix in a service pack between your version and mine.
Re:Does work on IE 6.0.2900.2180.xpsp_sp2_gdr.. (Score:2)
My XP machine is also fully patched.
Latest and 'greatest' not vulnerable... (Score:2)
One nice thing about Mozilla is that you can easily disseminate who is or is not vulnerable based upon a simple to understand version number. Not so with IE.
Re:Latest and 'greatest' not vulnerable... (Score:2)
As long as the vulnerability is always present, not triggered by individual extensions. And except for all the people using nightlies, and unofficial builds. And for flaws in Gecko, you have a different "simple" version number for every single Gecko browser - Firefox, Seamonkey, Galeon, Camino, and all the others that I've forgotten.
Sorry, but while Mozilla et al. ha
Which Version? (Score:4, Interesting)
Is this related to the flash player version?
More data needed!
Addendum: (Score:2)
The window must remain in focus for the spoof to suceed - at least in my version of IE.
Re:Which Version? (Score:2)
Version 6.0.2900.2180.xpsp_sp2_gdr.050301-1519 here (so yes, XP SP2), and the exploit works just fine. It might depend on your security settings, which I didn't really bother to check in IE because I never use it anyway. Maybe you disabled any kind of scripting or have installed 3rd party popup-blockers or anything else that might change the default behaviour?
Re:Which Version? (Score:2)
What? (Score:4, Funny)
Looks like I'm secure (Score:5, Funny)
Re:Looks like I'm secure (Score:2)
Re:Looks like I'm secure (Score:2)
Re:Looks like I'm secure (Score:2, Informative)
Netcraft Toolbar isn't fooled (Score:2)
Disclaimer: I am not a Netcraft employee, just a satified customer.
Fundamental Browser Issue (Score:5, Insightful)
Extensions, which are installed explicitly thru a separate procedure, would be the only way to put something in the status bar.
Change the little lock symbol to take up more room in the status bar. Make it list the URL the certificate is issued to next to the lock. If that doesn't match the URL you're on, change the URL bar background to ORANGE (not yellow) and make the lock flash or something. Yes, I know, you clicked "accept this certificate" but it is still a hacked-up cert and needs some cursory attention.
* * *
For those twits that are going to whine "but I don't use the status bar" or "I've rearranged my button/menu/tool bar up top so it isn't that way" this is a trivial issue to work around. This was just a quick way to describe the working screen area for most people.
Re:Fundamental Browser Issue (Score:2)
Re:Fundamental Browser Issue (Score:2)
I would append, under no circumstance may internet content instruct my browser to be a certain size, take away from any functionality of either the mouse or shortcuts... a true sandbox.
SSL and phishing (Score:3, Informative)
If people would pay attention to whether the connection is a secure SSL connection, wouldn't that alleviate most of the problem? As I understand it the browser would show "secure" if the site has a valid SSL cert signed by one of the root certification authorities installed in your browser that was registered to the domain of the site you were looking at. I suppose it's possible that a phisher could get a valid SSL cert for their phishing domain, but isn't that pretty unlikely?
Of course, training people to pay attention to whether it's an secure connection before giving important private information is a different issue, but it seems like you might be able to make some progress through education and adding features to the browser to make it a bit more obvious. You could make the secure icon more obvious, and you might even be able to get more clever and guess which pages are bank pages and ask "are you sure" when people try to send info unencrypted to those pages.
Meanwhile, my bank and some of my credit cards have a login prompt on the front page that is not https. Sure, it starts an SSL connection after you hit login, but, at that point, if you've been spoofed it would already be too late.
Deepnet, people! (Score:2)
Good Grief (Score:4, Funny)
So not only did they miss the entire message, they also couldn't even give their information to the right person. I wanted to just cry... I honestly think phishers deserve some peoples information.
Here you go (Score:3, Funny)
Re:Here you go (Score:4, Insightful)
Works in IETab as well (Score:3, Informative)
moderate risk? (Score:2, Interesting)
The spam is bad enough, but I'm frequently clicking the 'report phishing' link these days. You only have to make a mistake once.
Re:moderate risk? (Score:3, Interesting)
Simple. If it comes to you in an email or in any way other than you typing the URL in the address bar, it's fake. Granted, DNS poisoning can still take advantage, but that's not the browser's fault. At least this is the way I treat any email requesting me to log on somewhere. I saw an email one of our users received that looked like a phishing email in that it asked them to click a link to login and vi
Remember January 15th, 2002, (Score:3, Funny)
Remind me, again... how many major OS releases and services packs and IE versions have been released since then?
Boot Camp (Score:3, Funny)
Generic Slashdot Comment (Score:2)
>>>Linux good, Microsoft bad!
Just tried it with our company's stock IE install (Score:2)
Re:IE versions (Score:2)
Re:IE versions (Score:2)
Re:IE versions (Score:2)
At any rate, I just tested it, and it did display the correct address, tho it couldn't see any of the web page itself other than a whopping big "SECUNIA" banner.
I also tested Netscape 3.04 and Mozilla 1.5, and neither was vulnerable. NS3 did bri
The following versions are affected: (Score:2, Interesting)
According to the advisory linked in the article:
But I'm running IE6 on XP SP2 fully patched and I'm not vulnerable to their test. Since this involves macromedia flash, I'm assuming this is mixed with a bug in flash or else something else besides IE
Re:The following versions are affected: (Score:3, Insightful)
Re:Firefox (Score:2)
Deerpark G4, Mac OS 10.4.5 Had to disable noscript in order to do the test though. I did have adblock and flashblock still on.
Re:Firefox (Score:2)
Funny, I didn't. I did get an "open this with..." dialog for a Flash file, which I ignored, so that could be it.
Re:Firefox (Score:2)
Re:Firefox (Score:2)
Re:Firefox (Score:2)
Re:Does this work with SSL sites too? (Score:2)
It only takes one click to send my login and password to a phisher.
Re:Does this work with SSL sites too? (Score:2)
Re:Does this work with SSL sites too? (Score:2, Interesting)
https://www.google.com/ [google.com] in the address bar BUT does not use ssl you do not get the lock in IE.. and also if you try and use it with a domain other than the one the link is on it causes a full redirect and you get the right adress in the bar same happens if you try it on a site that is using ssl