Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

New Browser Exploit Found (but not on IE)
DSL Reports ^ | 2/7/2005 | DSL Reports

Posted on 02/07/2005 7:44:07 PM PST by smith288

New Browser Trick Found
Uses homograph attack to spoof links

As members of our Security forum discuss, a new homograph browser trick (see demo page) has been discovered that oddly works in every browser but IE. The trick uses International Domain Name (IDN) character support (using foreign characters that resemble American alphabet letters) to trick your browser into showing fake domain names in hyperlinks and in the address bar. IE doesn't support IDN (though it can via plug-in), so by default isn't vulnerable. More detail in this advisory from the group that discovered it.


TOPICS: Extended News; Miscellaneous; News/Current Events; Technical
KEYWORDS: computersecurity; exploit; explorer; firefox; idn; opera
Grabbing popcorn...
1 posted on 02/07/2005 7:44:07 PM PST by smith288
[ Post Reply | Private Reply | View Replies]

To: smith288
I guess this means that homographophobia will become respectable...
2 posted on 02/07/2005 7:46:13 PM PST by sourcery (This is your country. This is your country under socialism. Any questions? Just say no to Socialism!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: smith288
Just set network.enableIDN to "false" in Firefox.

To do this type about:config in the address bar, then network.enableIDN in the filter. Just double click on the parameter name and the value will be changed to false.

You probably have to close the browser for it to take effect (not sure there).

3 posted on 02/07/2005 7:47:38 PM PST by steve86
[ Post Reply | Private Reply | To 1 | View Replies]

To: smith288
I like Spoof Stick for FireFox - it tells you where you REALLY are...
SpoofStick
4 posted on 02/07/2005 7:50:20 PM PST by dandelion (http://thequestionfairy.blogspot.com/)
[ Post Reply | Private Reply | To 1 | View Replies]

To: BearWash

I just tried that fix and you didnt have to restart Firefox. Though if you are the type of nerd who gets the nightly releases, you will have to set this to false every time you get the new build.


5 posted on 02/07/2005 7:50:34 PM PST by smith288 ("Bravery is not a reaction to fear but the act of ignoring it from honor.")
[ Post Reply | Private Reply | To 3 | View Replies]

To: smith288

I would say there are very few IE fixes this easy.


6 posted on 02/07/2005 7:54:31 PM PST by steve86
[ Post Reply | Private Reply | To 5 | View Replies]

To: BearWash

What functionality in FireFox would changing network.enableIDN to "false" lose for you, if any?


7 posted on 02/07/2005 7:55:11 PM PST by swilhelm73 (Appeasers believe that if you keep on throwing steaks to a tiger, the tiger will become a vegetarian)
[ Post Reply | Private Reply | To 3 | View Replies]

To: smith288

I believe that Microsoft will be releasing 9 updates tomorrow.

Now, I don't blame MS for updating the OS. Especially since the updates are 'free'. Considering that the OS is now 3 years old, and not only are feature-sets being added, problems that were not known, or simply did not exist then are being addressed, as well as new technologies (SATA & SAS); and all of these are repaired free of charge.

Next, when we consider the plethora of machines (Intel, AMD or other processor company's processors), the chipsets supported (nVidia, Via, SiS, Intel, AMD, etc), the quantity of other products (video capture, RAID, NIC, Sound, USB, Firewire, PCI, PCI-X, PCI-express, ect.), the fact that they can release patches which fix problems, without creating new problems truly is amazing.


8 posted on 02/07/2005 7:55:17 PM PST by Hodar (With Rights, comes Responsibilities. Don't assume one, without assuming the other.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: dandelion

Ah-ha just checked it with Spoof Stick - Spoof Stick got SMACKED. So take that back on Spoof Stick; in this exploit, it will not help. Sending an email to the developer...

Switching OFF IDN...


9 posted on 02/07/2005 7:58:18 PM PST by dandelion (http://thequestionfairy.blogspot.com/)
[ Post Reply | Private Reply | To 4 | View Replies]

To: smith288
About setting it repeatedly with new builds, isn't the new parameter value stored in prefs.js in your own home directory? (This is Linux -- maybe Windows stores it in the registry or whatever they call it now).
10 posted on 02/07/2005 7:58:33 PM PST by steve86
[ Post Reply | Private Reply | To 5 | View Replies]

To: swilhelm73
What functionality in FireFox would changing network.enableIDN to "false" lose for you,

Apparently those internationalized domain names. Not a big loss to me. I don't think they should use funny characters in domain names. IE doesn't support those anyway.

11 posted on 02/07/2005 8:00:08 PM PST by steve86
[ Post Reply | Private Reply | To 7 | View Replies]

I use Shiira for OSX, and it isnt vulnerable... :)


12 posted on 02/07/2005 8:01:32 PM PST by oolatec
[ Post Reply | Private Reply | To 11 | View Replies]

To: BearWash

Thanks for the tip.


13 posted on 02/07/2005 8:10:53 PM PST by swilhelm73 (Appeasers believe that if you keep on throwing steaks to a tiger, the tiger will become a vegetarian)
[ Post Reply | Private Reply | To 11 | View Replies]

To: BearWash
About setting it repeatedly with new builds, isn't the new parameter value stored in prefs.js in your own home directory? (This is Linux -- maybe Windows stores it in the registry or whatever they call it now).

It stores it in prefs.js on a win32 but I think that bit of info was meant for people who just wipe their ff dir out when they get a new build

14 posted on 02/07/2005 8:11:36 PM PST by smith288 ("Bravery is not a reaction to fear but the act of ignoring it from honor.")
[ Post Reply | Private Reply | To 10 | View Replies]

To: smith288; BearWash

Hey guys - it's not working! I confirmed on the demo page and the forum, and they are getting the same response - THE IDN FALSE WORKAROUND *DOESN'T* WORK FOR FIREFOX 1.0. Evidently this workaround only performs in 0.93 - we should see more on Mozillazine.

http://forums.mozillazine.org/viewtopic.php?t=214828

Once again - the workaround does NOT work for Firefox 1.0. Confirm on the demo page before you assume it works in your browser...


15 posted on 02/07/2005 8:15:00 PM PST by dandelion (http://thequestionfairy.blogspot.com/)
[ Post Reply | Private Reply | To 5 | View Replies]

To: BearWash

Thanks for the easy fix.


16 posted on 02/07/2005 8:16:01 PM PST by Blood of Tyrants (God is not a Republican. But Satan is definitely a Democrat.)
[ Post Reply | Private Reply | To 3 | View Replies]

To: dandelion

I'll certainly check into that. Usually I go to slashdot for the full scoop but don't have time now.


17 posted on 02/07/2005 8:17:39 PM PST by steve86
[ Post Reply | Private Reply | To 15 | View Replies]

To: BearWash

Clarifications are on Mozillazine - evidently the workaround gets "reset" everytime Firefox is started, so it may work THIS time, but not after you reopen. Nightly Build may address this...


18 posted on 02/07/2005 8:17:52 PM PST by dandelion (http://thequestionfairy.blogspot.com/)
[ Post Reply | Private Reply | To 15 | View Replies]

To: dandelion

Yeah, I saw newer builds might have it fixed. Shows you have to test more than once, that's for sure!


19 posted on 02/07/2005 8:22:08 PM PST by steve86
[ Post Reply | Private Reply | To 18 | View Replies]

To: dandelion
Hey guys - it's not working!

I have FF 1.0 and it works for me

20 posted on 02/07/2005 8:25:22 PM PST by smith288 ("Bravery is not a reaction to fear but the act of ignoring it from honor.")
[ Post Reply | Private Reply | To 15 | View Replies]

To: smith288
For this spoof to work, you'd have to head to the site from another phishing site or click on a fraudulent email link. This would be one sharp phisher, as the logistics of making a convincing site are pretty difficult using foreign letter codes. Heck, I have a big enough problem making links work with a regular alphabet.

I've never been whacked on my Windows machine or my Mac, by following a couple of simple rules:

1. Don't click on email links
2. Keep virus protection up to date
3. Use a firewall
4. Turn off java
5. Turn off activeX except at trusted sites
6. Turn off javascript when surfing unknown sites
7. Run an Adaware check every so often.
8. If a popup window asks if you want to install the plugin, the answer is no.

21 posted on 02/07/2005 8:32:32 PM PST by Richard Kimball (It was a joke. You know, humor. Like the funny kind. Only different.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Richard Kimball

I have found the best Anti-Adware program is Microsoft's new one they have out on beta. It caught everything on my machine at work that was completly stifled by ad ware that was running resident in memory. I have it run at 3am and when I get in the next day, it has a dialog box report of what the scan results were. I havent had any problems since.


22 posted on 02/07/2005 8:42:40 PM PST by smith288 ("Bravery is not a reaction to fear but the act of ignoring it from honor.")
[ Post Reply | Private Reply | To 21 | View Replies]

To: smith288
I have FF 1.0 and it works for me

Even after you restart and run the test?

23 posted on 02/07/2005 9:01:41 PM PST by steve86
[ Post Reply | Private Reply | To 20 | View Replies]

To: smith288

Just curious, but how do you KNOW it got everything? 'Cause, you know, you just don't know what you don't know, you know? :)

:O)

P


24 posted on 02/07/2005 9:18:39 PM PST by papasmurf (Dear Lord, Please make me the Commanding General In Iraq for just 3 months, Amen.)
[ Post Reply | Private Reply | To 22 | View Replies]

To: All
Here's some browsers that have tabs, popup blocking, etc. but still use the IE engine and most are free:

Maxthon
SlimBrowser
Avant Browser
Netcaptor
Irider

25 posted on 02/07/2005 9:19:28 PM PST by yellowhammer
[ Post Reply | Private Reply | To 1 | View Replies]

To: BearWash

Unfortunately, after restarting Firefox, the about:config setting reads false, but the system is susceptible. =(


26 posted on 02/07/2005 9:53:40 PM PST by yevgenie (8 bits in a byte; 2 bits to a quarter ($.25) ==> so, 8 bits is a dollar ???)
[ Post Reply | Private Reply | To 3 | View Replies]

To: smith288; All

Once again, thanks for the tips! :o)


27 posted on 02/07/2005 10:15:16 PM PST by Titan Magroyne
[ Post Reply | Private Reply | To 1 | View Replies]

To: papasmurf
Just curious, but how do you KNOW it got everything? 'Cause, you know, you just don't know what you don't know, you know? :)

I dont have casino icons popping up on my desktop or see any weird traffic leaving my machine... All the processes running are accounted for and legit. :)

28 posted on 02/08/2005 9:20:46 AM PST by smith288 ("Bravery is not a reaction to fear but the act of ignoring it from honor.")
[ Post Reply | Private Reply | To 24 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson