New Browser Exploit Found (but not on IE)

DSL Reports ^ | 2/7/2005 | DSL Reports

[smith288]

New Browser Trick Found
Uses homograph attack to spoof links

As members of our Security forum discuss, a new homograph browser trick (see demo page) has been discovered that oddly works in every browser but IE. The trick uses International Domain Name (IDN) character support (using foreign characters that resemble American alphabet letters) to trick your browser into showing fake domain names in hyperlinks and in the address bar. IE doesn't support IDN (though it can via plug-in), so by default isn't vulnerable. More detail in this advisory from the group that discovered it.

[smith288]

Grabbing popcorn...

[sourcery]

I guess this means that homographophobia will become respectable...

[steve86]

Just set network.enableIDN to "false" in Firefox.

To do this type about:config in the address bar, then network.enableIDN in the filter. Just double click on the parameter name and the value will be changed to false.

You probably have to close the browser for it to take effect (not sure there).

[dandelion]

I like Spoof Stick for FireFox - it tells you where you REALLY are...
SpoofStick

[smith288]

I just tried that fix and you didnt have to restart Firefox. Though if you are the type of nerd who gets the nightly releases, you will have to set this to false every time you get the new build.

[steve86]

I would say there are very few IE fixes this easy.

[swilhelm73]

What functionality in FireFox would changing network.enableIDN to "false" lose for you, if any?

[Hodar]

I believe that Microsoft will be releasing 9 updates tomorrow.

Now, I don't blame MS for updating the OS. Especially since the updates are 'free'. Considering that the OS is now 3 years old, and not only are feature-sets being added, problems that were not known, or simply did not exist then are being addressed, as well as new technologies (SATA & SAS); and all of these are repaired free of charge.

Next, when we consider the plethora of machines (Intel, AMD or other processor company's processors), the chipsets supported (nVidia, Via, SiS, Intel, AMD, etc), the quantity of other products (video capture, RAID, NIC, Sound, USB, Firewire, PCI, PCI-X, PCI-express, ect.), the fact that they can release patches which fix problems, without creating new problems truly is amazing.

[dandelion]

Ah-ha just checked it with Spoof Stick - Spoof Stick got SMACKED. So take that back on Spoof Stick; in this exploit, it will not help. Sending an email to the developer...

Switching OFF IDN...

[steve86]

About setting it repeatedly with new builds, isn't the new parameter value stored in prefs.js in your own home directory? (This is Linux -- maybe Windows stores it in the registry or whatever they call it now).

[steve86]

What functionality in FireFox would changing network.enableIDN to "false" lose for you,

Apparently those internationalized domain names. Not a big loss to me. I don't think they should use funny characters in domain names. IE doesn't support those anyway.

[oolatec]

I use Shiira for OSX, and it isnt vulnerable... :)

[swilhelm73]

Thanks for the tip.

[smith288]

About setting it repeatedly with new builds, isn't the new parameter value stored in prefs.js in your own home directory? (This is Linux -- maybe Windows stores it in the registry or whatever they call it now).

It stores it in prefs.js on a win32 but I think that bit of info was meant for people who just wipe their ff dir out when they get a new build

[dandelion]

Hey guys - it's not working! I confirmed on the demo page and the forum, and they are getting the same response - THE IDN FALSE WORKAROUND *DOESN'T* WORK FOR FIREFOX 1.0. Evidently this workaround only performs in 0.93 - we should see more on Mozillazine.

http://forums.mozillazine.org/viewtopic.php?t=214828

Once again - the workaround does NOT work for Firefox 1.0. Confirm on the demo page before you assume it works in your browser...

[Blood of Tyrants]

Thanks for the easy fix.

[steve86]

I'll certainly check into that. Usually I go to slashdot for the full scoop but don't have time now.

[dandelion]

Clarifications are on Mozillazine - evidently the workaround gets "reset" everytime Firefox is started, so it may work THIS time, but not after you reopen. Nightly Build may address this...

[steve86]

Yeah, I saw newer builds might have it fixed. Shows you have to test more than once, that's for sure!

[smith288]

Hey guys - it's not working!

I have FF 1.0 and it works for me