Skip to comments.
Microsoft Probes Flaw That Could Help Fraudsters Create Fake Web Sites
Security Pipeline ^
| December 11, 2003
| George V. Hulme
Posted on 12/14/2003 10:18:34 AM PST by Perseverando
InformationWeek
Danish information security consulting firm Secunia is warning Microsoft Internet Explorer users of a vulnerability that could enable Internet fraudsters to create more-realistic and authentic-looking fake Web sites.
Secunia says it has found an "input validation" error in Internet Explorer. By exploiting this vulnerability, known as a URL-spoofing vulnerability, attackers can display any URL name they wish in the address and status bars of IE.
This flaw would make it appear to Internet users that they're visiting a banking Web site, for example, when that site is actually a front for fraudsters attempting to collect sensitive financial information.
Secunia says the vulnerability has been confirmed in Internet Explorer 6.0, though other versions may be affected as well.
Microsoft has taken issue with the way Secunia made information about the flaw public.
"Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities," the company said in a statement.
Microsoft said it's investigating the flaw and that it's not aware of any affected customers or hacking tools that are available to take advantage of the flaw. In its statement, Microsoft said it would consider issuing a patch if needed.
Secunia has a test on its Web site for users to see if they're vulnerable to the URL-spoofing flaw. It's available on the Secunia web site.
TOPICS: Business/Economy; Crime/Corruption; Extended News; Technical
KEYWORDS: computer; computersecurity; explorer; fraud; hacker; internet; microsoft; security; technology; windows
This is a must read for those who do financial transactions on the web and/or use secure sights!Here's the link for Secunia where you can check to see if your version of Microsoft Internet Explorer is susceptible to the "Internet Explorer URL Spoofing Vulnerability".
I took the test, and my browser FAILED
This is not good, Freepers!!
Hopefully, Microsoft will get on the ball and quickly fix, yet another "hole" in their "Swiss cheese" browser.
To: Perseverando
Secunia behaved very badly, IMHO, by making this flaw public before Microsoft had a chance to make a fix for it.
There's another story on this flaw here, with a few more technical details (and some fatuous editorializing):
http://www.betanews.com/article.php3?sid=1071248425
2
posted on
12/14/2003 10:30:10 AM PST
by
Cicero
(Marcus Tullius)
To: Perseverando
As I sent to ALL my contacts a cou9ple of days ago....
I normally will not recommend doing this, but there is a MAJOR flaw in Internet Explorer that makes its use very dangerous for your security on line!
To illustrate the FLAW, click on the below link - you'll notice the odd name, but this website is actually
www.zapthedingbat.com (a test site). If you are using Internet Explorer, you will see the Microsoft logo on the web page and if you look on the
"Address Bar" you'll see
http://www.microsoft.com instead of the
zapthedingbat. This is extremely dangerous for internet security and microsoft has NOT repaired this.
http://www.microsoft.com@zapthedingbat.com/security/ex01/vun2.htm
For a temporary fix - It could be permanent if you like this browser - I would like to recommend you download and install OPERA browser. It loads web pages much faster, but it does work a little differently than Internet Explorer. The following link is to their FREE Download Page - I will also recommend that you download the version that contains JAVA - It is a bit bigger but is need for many web sites.
www.OPERA.com
Any Questions, feel free to contact me.
3
posted on
12/14/2003 10:37:39 AM PST
by
steplock
(www.FOCUS.GOHOTSPRINGS.com)
To: Perseverando
Do yourself a favor-- use Firebird for your main browser-- anything but IE. Then use Thunderbird for your email.
4
posted on
12/14/2003 10:38:38 AM PST
by
Clara Lou
To: Perseverando
To: steplock
I put that one link in backwards....
To test your browser click here:
www.microsoft.com
If your ADDRESS BAR says www.microsoft.com then any of your personal information you enter on-line can bwe compromised. Especially now during the
CHRISTmas Season.
6
posted on
12/14/2003 10:41:17 AM PST
by
steplock
(www.FOCUS.GOHOTSPRINGS.com)
To: Perseverando
As if anyone needed one more reason not to use IE. I use Safari on my PowerBook at home, Mozilla on my ThinkPad at work. I am thinking seriously about getting rid of Windows XP altogether and using SuSE Linux 9.0 and an emulator called WineRack so I can run Office. If MS didn't have a lock on the word processor and spreadsheet market, I could ditch MS forever.
7
posted on
12/14/2003 10:44:30 AM PST
by
Astronaut
To: TechJunkYard
Thanks for the serving of humble pie.
I did a couple of searches, but failed to spot a previous post. I was surprised that a fellow Freeper had not previously posted this since it was now 3 days old.
To: Perseverando
Certainly wasn't intended that way.
But there were lots of examples of the exploit on that thread, and a good discussion of the issues, which might be of interest to those who find this one.
To: Perseverando
I just tried the spoofing test on Mozilla 1.5.
It failed. Apaprently IE isn't the only one suceptible.
Anyone know of a browser that passes this test?
10
posted on
12/14/2003 11:53:42 AM PST
by
templar
To: Perseverando
I'm already getting spam to go to a bogus website to verify my 'e-gold' account that attempts to exploit this vulnerability. Besides the fact that it won't work on any browser on my system, because I use
mozilla, not an archaic browser like IE, I don't have an e-gold account!
You can expect to see lots of similar scams soon.
People really need to avoid using IE in their surfing whenever possible.
11
posted on
12/14/2003 1:02:23 PM PST
by
zeugma
(If you eat a live toad first thing in the morning, nothing worse will happen all day.)
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson