Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Microsoft Probes Flaw That Could Help Fraudsters Create Fake Web Sites
Security Pipeline ^ | December 11, 2003 | George V. Hulme

Posted on 12/14/2003 10:18:34 AM PST by Perseverando

InformationWeek

Danish information security consulting firm Secunia is warning Microsoft Internet Explorer users of a vulnerability that could enable Internet fraudsters to create more-realistic and authentic-looking fake Web sites.

Secunia says it has found an "input validation" error in Internet Explorer. By exploiting this vulnerability, known as a URL-spoofing vulnerability, attackers can display any URL name they wish in the address and status bars of IE.

This flaw would make it appear to Internet users that they're visiting a banking Web site, for example, when that site is actually a front for fraudsters attempting to collect sensitive financial information.

Secunia says the vulnerability has been confirmed in Internet Explorer 6.0, though other versions may be affected as well.

Microsoft has taken issue with the way Secunia made information about the flaw public.

"Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities," the company said in a statement.

Microsoft said it's investigating the flaw and that it's not aware of any affected customers or hacking tools that are available to take advantage of the flaw. In its statement, Microsoft said it would consider issuing a patch if needed.

Secunia has a test on its Web site for users to see if they're vulnerable to the URL-spoofing flaw. It's available on the Secunia web site.


TOPICS: Business/Economy; Crime/Corruption; Extended News; Technical
KEYWORDS: computer; computersecurity; explorer; fraud; hacker; internet; microsoft; security; technology; windows
This is a must read for those who do financial transactions on the web and/or use secure sights!

Here's the link for Secunia where you can check to see if your version of Microsoft Internet Explorer is susceptible to the "Internet Explorer URL Spoofing Vulnerability".

I took the test, and my browser FAILED

This is not good, Freepers!!

Hopefully, Microsoft will get on the ball and quickly fix, yet another "hole" in their "Swiss cheese" browser.

1 posted on 12/14/2003 10:18:37 AM PST by Perseverando
[ Post Reply | Private Reply | View Replies]

To: Perseverando
Secunia behaved very badly, IMHO, by making this flaw public before Microsoft had a chance to make a fix for it.

There's another story on this flaw here, with a few more technical details (and some fatuous editorializing):

http://www.betanews.com/article.php3?sid=1071248425
2 posted on 12/14/2003 10:30:10 AM PST by Cicero (Marcus Tullius)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Perseverando
As I sent to ALL my contacts a cou9ple of days ago....

I normally will not recommend doing this, but there is a MAJOR flaw in Internet Explorer that makes its use very dangerous for your security on line!

To illustrate the FLAW, click on the below link - you'll notice the odd name, but this website is actually www.zapthedingbat.com (a test site). If you are using Internet Explorer, you will see the Microsoft logo on the web page and if you look on the "Address Bar" you'll see http://www.microsoft.com instead of the zapthedingbat. This is extremely dangerous for internet security and microsoft has NOT repaired this.

http://www.microsoft.com@zapthedingbat.com/security/ex01/vun2.htm

For a temporary fix - It could be permanent if you like this browser - I would like to recommend you download and install OPERA browser. It loads web pages much faster, but it does work a little differently than Internet Explorer. The following link is to their FREE Download Page - I will also recommend that you download the version that contains JAVA - It is a bit bigger but is need for many web sites.

www.OPERA.com

Any Questions, feel free to contact me.
3 posted on 12/14/2003 10:37:39 AM PST by steplock (www.FOCUS.GOHOTSPRINGS.com)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Perseverando
Do yourself a favor-- use Firebird for your main browser-- anything but IE. Then use Thunderbird for your email.
4 posted on 12/14/2003 10:38:38 AM PST by Clara Lou
[ Post Reply | Private Reply | To 1 | View Replies]

To: Perseverando
Already discussed here: http://www.freerepublic.com/focus/f-news/1038529/posts
5 posted on 12/14/2003 10:41:07 AM PST by TechJunkYard
[ Post Reply | Private Reply | To 1 | View Replies]

To: steplock
I put that one link in backwards....

To test your browser click here:

www.microsoft.com

If your ADDRESS BAR says www.microsoft.com then any of your personal information you enter on-line can bwe compromised. Especially now during the CHRISTmas Season.
6 posted on 12/14/2003 10:41:17 AM PST by steplock (www.FOCUS.GOHOTSPRINGS.com)
[ Post Reply | Private Reply | To 3 | View Replies]

To: Perseverando
As if anyone needed one more reason not to use IE. I use Safari on my PowerBook at home, Mozilla on my ThinkPad at work. I am thinking seriously about getting rid of Windows XP altogether and using SuSE Linux 9.0 and an emulator called WineRack so I can run Office. If MS didn't have a lock on the word processor and spreadsheet market, I could ditch MS forever.
7 posted on 12/14/2003 10:44:30 AM PST by Astronaut
[ Post Reply | Private Reply | To 1 | View Replies]

To: TechJunkYard
Thanks for the serving of humble pie.

I did a couple of searches, but failed to spot a previous post. I was surprised that a fellow Freeper had not previously posted this since it was now 3 days old.
8 posted on 12/14/2003 10:46:23 AM PST by Perseverando
[ Post Reply | Private Reply | To 5 | View Replies]

To: Perseverando
Certainly wasn't intended that way.

But there were lots of examples of the exploit on that thread, and a good discussion of the issues, which might be of interest to those who find this one.

9 posted on 12/14/2003 11:45:23 AM PST by TechJunkYard
[ Post Reply | Private Reply | To 8 | View Replies]

To: Perseverando
I just tried the spoofing test on Mozilla 1.5.

It failed. Apaprently IE isn't the only one suceptible.

Anyone know of a browser that passes this test?

10 posted on 12/14/2003 11:53:42 AM PST by templar
[ Post Reply | Private Reply | To 1 | View Replies]

To: Perseverando
I'm already getting spam to go to a bogus website to verify my 'e-gold' account that attempts to exploit this vulnerability. Besides the fact that it won't work on any browser on my system, because I use mozilla, not an archaic browser like IE, I don't have an e-gold account!

You can expect to see lots of similar scams soon.

People really need to avoid using IE in their surfing whenever possible.

11 posted on 12/14/2003 1:02:23 PM PST by zeugma (If you eat a live toad first thing in the morning, nothing worse will happen all day.)
[ Post Reply | Private Reply | To 1 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson