Open source firm releases patch for IE spoofing flaw

The Age ^ | December 18, 2003 | Sam Varghese

[Russian Sage]

Open source firm releases patch for IE spoofing flaw

By Sam Varghese December 18, 2003

An open source and freeware software development web site has released a patch to fix the URL spoofing vulnerability in Internet Explorer, which can be exploited by scammers who try to trick people into revealing details of online banking accounts or other private information.

Openwares.org, a Vaunatian company, with branches in Israel, the US and France, released the patch and the source code for the same a couple of days back.

The company has also set up two pages where users can test to see if they are vulnerable to the exploit, one a fake Microsoft Update example and the other an example of a fake PayPal site.

In its advisory, issued along with the patch, Openwares.org said: "Successful exploitation (of this flaw) allows a malicious person to display an arbitrary FQDN (Fully Qualified Domain Name) in the address and status bars, which is different from the actual location of the page."

It gave the vulnerability a rating of 5 on a five-point scale.

While Microsoft has released an article providing details about the vulnerability, the company is yet to provide a patch.

The flaw was disclosed on December 9 by graphic designer Sam Greenhalgh.

[Cicero]

Huh. Very interesting. The spoof does indeed work as it was said to. But I don't know that I want to mess with a patch that modifies any of my MS system files in some way. And I'm not enough of a computer guru to figure out what the patch does without more of an explanation, although they offer open source code as well as the patch.

I think I'll wait.

[smith288]

So what is so hard about supplying a quick patch like this company did??? I installed this "patch" and it worked great.

[smith288]

Appears to be an ActiveX file... It doesnt mess with MS source code.

[templar]

Mozilla is vulnerable as well. Does anyone know of a patch for it?

[sigSEGV]

Mozilla is not vunerable.

[Russian Sage]

I use Mozilla. It tests OK without a patch.

[templar]

I use Mozilla. It tests OK without a patch.

What version? I'm using 1.5 and it failed the test that was posted on the other thread.

[templar]

Mozilla is not vunerable.

Mine, version 1.5, failed the test.

[flashbunny]

In what way did it fail? Did it show you the real URL in the status field or the fake url?

[ShadowAce]

tech ping redirect. This is the original thread. I asked the admin moderator to delete mine.

thanks.

[sigSEGV]

You sure about that?

Did you see:

www.microsoft.com%01@zapthedingbat.com/security/ex01/vun2.htm
or
www.microsoft.com

in the address bar?

[TechJunkYard]

DO NOT install the Open Source patch! It introduces a buffer overflow vulnerability which is worse than the original problem.

A perfect example of jumping the gun, IMHO.

See the updated piece at The Register.

[TechJunkYard]

See #13 and un-install that patch, if you can.

[smith288]

Thanks

[kitkat]

BUMP

[Cicero]

I decided not to install it because there wasn't enough information on the web site about what it did or whether it could be fully uninstalled. Also I was worried that it might not be compatible with whatever patch MS finally decides to release.

Does it show up in Add/Remove Programs for uninstalling? Have you tried uninstalling it?

[smith288]

Im at work now but ill see when I get home...

[BallandPowder]

Powder..Patch..Ball FIRE!

The patch does what it is supposed to do. I downloaded it this morning and it works just as expected. IE6 on NT4 SP6 Compaq laptop.

[TechJunkYard]

From what I'm reading, it doesn't actually fix the problem; it just detects exploited URLs and sends you to a warning page instead of the exploit page.

But it uses only a 256-byte buffer with no overflow checking, and their web site may be accumulating a list of exploited URLs and user IP addresses.

My advice is to ignore this thing and wait for the official Microsoft patch.