Microsoft Probes Flaw That Could Help Fraudsters Create Fake Web Sites

Security Pipeline ^ | December 11, 2003 | George V. Hulme

[Perseverando]

InformationWeek

Danish information security consulting firm Secunia is warning Microsoft Internet Explorer users of a vulnerability that could enable Internet fraudsters to create more-realistic and authentic-looking fake Web sites.

Secunia says it has found an "input validation" error in Internet Explorer. By exploiting this vulnerability, known as a URL-spoofing vulnerability, attackers can display any URL name they wish in the address and status bars of IE.

This flaw would make it appear to Internet users that they're visiting a banking Web site, for example, when that site is actually a front for fraudsters attempting to collect sensitive financial information.

Secunia says the vulnerability has been confirmed in Internet Explorer 6.0, though other versions may be affected as well.

Microsoft has taken issue with the way Secunia made information about the flaw public.

"Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities," the company said in a statement.

Microsoft said it's investigating the flaw and that it's not aware of any affected customers or hacking tools that are available to take advantage of the flaw. In its statement, Microsoft said it would consider issuing a patch if needed.

Secunia has a test on its Web site for users to see if they're vulnerable to the URL-spoofing flaw. It's available on the Secunia web site.

[Perseverando]

This is a must read for those who do financial transactions on the web and/or use secure sights!

Here's the link for Secunia where you can check to see if your version of Microsoft Internet Explorer is susceptible to the "Internet Explorer URL Spoofing Vulnerability".

I took the test, and my browser FAILED

This is not good, Freepers!!

Hopefully, Microsoft will get on the ball and quickly fix, yet another "hole" in their "Swiss cheese" browser.

[Cicero]

Secunia behaved very badly, IMHO, by making this flaw public before Microsoft had a chance to make a fix for it.

There's another story on this flaw here, with a few more technical details (and some fatuous editorializing):

http://www.betanews.com/article.php3?sid=1071248425

[steplock]

As I sent to ALL my contacts a cou9ple of days ago....

I normally will not recommend doing this, but there is a MAJOR flaw in Internet Explorer that makes its use very dangerous for your security on line!

To illustrate the FLAW, click on the below link - you'll notice the odd name, but this website is actually www.zapthedingbat.com (a test site). If you are using Internet Explorer, you will see the Microsoft logo on the web page and if you look on the "Address Bar" you'll see http://www.microsoft.com instead of the zapthedingbat. This is extremely dangerous for internet security and microsoft has NOT repaired this.

http://www.microsoft.com
@zapthedingbat.com/security/ex01/vun2.htm

For a temporary fix - It could be permanent if you like this browser - I would like to recommend you download and install OPERA browser. It loads web pages much faster, but it does work a little differently than Internet Explorer. The following link is to their FREE Download Page - I will also recommend that you download the version that contains JAVA - It is a bit bigger but is need for many web sites.

www.OPERA.com

Any Questions, feel free to contact me.

[Clara Lou]

Do yourself a favor-- use Firebird for your main browser-- anything but IE. Then use Thunderbird for your email.

[TechJunkYard]

Already discussed here: http://www.freerepublic.com/focus/f-news/1038529/posts

[steplock]

I put that one link in backwards....

To test your browser click here:

www.microsoft.com

If your ADDRESS BAR says www.microsoft.com then any of your personal information you enter on-line can bwe compromised. Especially now during the CHRISTmas Season.

[Astronaut]

As if anyone needed one more reason not to use IE. I use Safari on my PowerBook at home, Mozilla on my ThinkPad at work. I am thinking seriously about getting rid of Windows XP altogether and using SuSE Linux 9.0 and an emulator called WineRack so I can run Office. If MS didn't have a lock on the word processor and spreadsheet market, I could ditch MS forever.

[Perseverando]

Thanks for the serving of humble pie.

I did a couple of searches, but failed to spot a previous post. I was surprised that a fellow Freeper had not previously posted this since it was now 3 days old.

[TechJunkYard]

Certainly wasn't intended that way.

But there were lots of examples of the exploit on that thread, and a good discussion of the issues, which might be of interest to those who find this one.

[templar]

I just tried the spoofing test on Mozilla 1.5.

It failed. Apaprently IE isn't the only one suceptible.

Anyone know of a browser that passes this test?

[zeugma]

I'm already getting spam to go to a bogus website to verify my 'e-gold' account that attempts to exploit this vulnerability. Besides the fact that it won't work on any browser on my system, because I use mozilla, not an archaic browser like IE, I don't have an e-gold account!

You can expect to see lots of similar scams soon.

People really need to avoid using IE in their surfing whenever possible.