New Browser Exploit Found (but not on IE)

DSL Reports ^ | 2/7/2005 | DSL Reports

[smith288]

New Browser Trick Found
Uses homograph attack to spoof links

As members of our Security forum discuss, a new homograph browser trick (see demo page) has been discovered that oddly works in every browser but IE. The trick uses International Domain Name (IDN) character support (using foreign characters that resemble American alphabet letters) to trick your browser into showing fake domain names in hyperlinks and in the address bar. IE doesn't support IDN (though it can via plug-in), so by default isn't vulnerable. More detail in this advisory from the group that discovered it.

[smith288]

Grabbing popcorn...

[sourcery]

I guess this means that homographophobia will become respectable...

[steve86]

Just set network.enableIDN to "false" in Firefox.

To do this type about:config in the address bar, then network.enableIDN in the filter. Just double click on the parameter name and the value will be changed to false.

You probably have to close the browser for it to take effect (not sure there).

[dandelion]

I like Spoof Stick for FireFox - it tells you where you REALLY are...
SpoofStick

[smith288]

I just tried that fix and you didnt have to restart Firefox. Though if you are the type of nerd who gets the nightly releases, you will have to set this to false every time you get the new build.

[steve86]

I would say there are very few IE fixes this easy.

[swilhelm73]

What functionality in FireFox would changing network.enableIDN to "false" lose for you, if any?

[Hodar]

I believe that Microsoft will be releasing 9 updates tomorrow.

Now, I don't blame MS for updating the OS. Especially since the updates are 'free'. Considering that the OS is now 3 years old, and not only are feature-sets being added, problems that were not known, or simply did not exist then are being addressed, as well as new technologies (SATA & SAS); and all of these are repaired free of charge.

Next, when we consider the plethora of machines (Intel, AMD or other processor company's processors), the chipsets supported (nVidia, Via, SiS, Intel, AMD, etc), the quantity of other products (video capture, RAID, NIC, Sound, USB, Firewire, PCI, PCI-X, PCI-express, ect.), the fact that they can release patches which fix problems, without creating new problems truly is amazing.

[dandelion]

Ah-ha just checked it with Spoof Stick - Spoof Stick got SMACKED. So take that back on Spoof Stick; in this exploit, it will not help. Sending an email to the developer...

Switching OFF IDN...

[steve86]

About setting it repeatedly with new builds, isn't the new parameter value stored in prefs.js in your own home directory? (This is Linux -- maybe Windows stores it in the registry or whatever they call it now).

[steve86]

What functionality in FireFox would changing network.enableIDN to "false" lose for you,

Apparently those internationalized domain names. Not a big loss to me. I don't think they should use funny characters in domain names. IE doesn't support those anyway.

[oolatec]

I use Shiira for OSX, and it isnt vulnerable... :)

[swilhelm73]

Thanks for the tip.

[smith288]

About setting it repeatedly with new builds, isn't the new parameter value stored in prefs.js in your own home directory? (This is Linux -- maybe Windows stores it in the registry or whatever they call it now).

It stores it in prefs.js on a win32 but I think that bit of info was meant for people who just wipe their ff dir out when they get a new build

[dandelion]

Hey guys - it's not working! I confirmed on the demo page and the forum, and they are getting the same response - THE IDN FALSE WORKAROUND *DOESN'T* WORK FOR FIREFOX 1.0. Evidently this workaround only performs in 0.93 - we should see more on Mozillazine.

http://forums.mozillazine.org/viewtopic.php?t=214828

Once again - the workaround does NOT work for Firefox 1.0. Confirm on the demo page before you assume it works in your browser...

[Blood of Tyrants]

Thanks for the easy fix.

[steve86]

I'll certainly check into that. Usually I go to slashdot for the full scoop but don't have time now.

[dandelion]

Clarifications are on Mozillazine - evidently the workaround gets "reset" everytime Firefox is started, so it may work THIS time, but not after you reopen. Nightly Build may address this...

[steve86]

Yeah, I saw newer builds might have it fixed. Shows you have to test more than once, that's for sure!

[smith288]

Hey guys - it's not working!

I have FF 1.0 and it works for me

[Richard Kimball]

For this spoof to work, you'd have to head to the site from another phishing site or click on a fraudulent email link. This would be one sharp phisher, as the logistics of making a convincing site are pretty difficult using foreign letter codes. Heck, I have a big enough problem making links work with a regular alphabet.

I've never been whacked on my Windows machine or my Mac, by following a couple of simple rules:

1. Don't click on email links
2. Keep virus protection up to date
3. Use a firewall
4. Turn off java
5. Turn off activeX except at trusted sites
6. Turn off javascript when surfing unknown sites
7. Run an Adaware check every so often.
8. If a popup window asks if you want to install the plugin, the answer is no.

[smith288]

I have found the best Anti-Adware program is Microsoft's new one they have out on beta. It caught everything on my machine at work that was completly stifled by ad ware that was running resident in memory. I have it run at 3am and when I get in the next day, it has a dialog box report of what the scan results were. I havent had any problems since.

[steve86]

I have FF 1.0 and it works for me

Even after you restart and run the test?

[papasmurf]

Just curious, but how do you KNOW it got everything? 'Cause, you know, you just don't know what you don't know, you know? :)

:O)

P

[yellowhammer]

Here's some browsers that have tabs, popup blocking, etc. but still use the IE engine and most are free:

Maxthon
SlimBrowser
Avant Browser
Netcaptor
Irider

[yevgenie]

Unfortunately, after restarting Firefox, the about:config setting reads false, but the system is susceptible. =(

[Titan Magroyne]

Once again, thanks for the tips! :o)

[smith288]

Just curious, but how do you KNOW it got everything? 'Cause, you know, you just don't know what you don't know, you know? :)

I dont have casino icons popping up on my desktop or see any weird traffic leaving my machine... All the processes running are accounted for and legit. :)