Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

New URL Spoofing Flaw Found in Internet Explorer
Netcraft ^ | October 29, 2004 01:52 PM | richm

Posted on 10/30/2004 1:05:40 PM PDT by FreedomCalls

A new spoofing flaw in Microsoft's Internet Explorer browser allows an improperly coded web link to send users to a diffferent URL than the one displayed in the status bar.

The flaw, which was posted to the Bugtraq mailing list by Benjamin Franz, is exploited by placing two URLs and a table within a single HTML href tag, producing a link that looks like this:

http://www.microsoft.com
displaying http://www.microsoft.com in the browser, but sending the user to Google. Franz says the exploit works in fully-patched versions of Internet Explorer and Outlook Express, meaning the HTML code can be used to create spoofed URLs in webpages and HTML e-mails.

The technique, which can be executed by anyone with basic knowledge of HTML, can be used to construct convicing fake URLs for use in phishing scams. The flaw is possible because Internet Explorer has difficulty processing improperly formed HTML. The attack opens one href tag, and then leaves that tag open while enclosing a second URL within a table. The browser displays the first URL in the status bar, but sends users to the second URL.

The flaw affects versions of IE up to 6.0.2800.1106 - which includes systems that haven't yet installed Windows XP SP2, but are current on all other critical updates from Windows Update - as well as the Safari browser for Macs. Users running Windows XP SP2 (IE version 6.0.2900) and the open source Firefox and Mozilla browsers are not affected.

Phishing attacks seek to trick account holders into divulging sensitive account information through the use of e-mails which appear to come from trusted financial institutions and retailers. Several previous URL spoofing weaknesses in Internet Explorer have been widely used by phishing attacks. The ability to display a fraudulent URL in the status bar is especially useful, as security-conscious users would check the status bar before clicking through. The technique does not disguise the URL displayed in the address bar upon arrival at the destination page, meaning alert users will recognize the spoof at that point. But the tactic could be used to send e-mail recipients and web surfers to pages that attempt to download malware upon loading, a common tactic used by phishers to install trojans and keyloggers.

Netcraft has developed a service to help banks and other financial organizations identify sites which may be trying to construct frauds, identity theft and phishing attacks by pretending to be the bank, or are implying that the site has a relationship with the bank when in fact there is none.



TOPICS: Business/Economy; Front Page News; Miscellaneous; Technical
KEYWORDS: exploit; explorer; getamac; ie; internetexploiter; lowqualitycrap; microsoft; patch; securityflaw; spoofing; trojan; virus; windows; worm
Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-73 next last
To: FreedomCalls

It's a great article, really! ;-)


41 posted on 10/30/2004 2:22:36 PM PDT by k2blader (It is neither compassionate nor conservative to support the expansion of socialism.)
[ Post Reply | Private Reply | To 39 | View Replies]

To: ScottM1968
Firefox IS affected if you right click and choose to open in a new tab or window. Bad because that it how I open many links in all the browsers I use. Opera is unaffected, though. See post #40.
42 posted on 10/30/2004 2:25:03 PM PDT by Weirdad (A Free Republic, not a "democracy" (mob rule))
[ Post Reply | Private Reply | To 36 | View Replies]

To: FreedomCalls

It's not working on my IBM Selectric II. Am I doing something wrong?

(It seemed funny when I typed it.)


43 posted on 10/30/2004 2:35:37 PM PDT by UseYourHead (This November, remember who the terrorists are voting for.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: surtcaldera
Safari for the Mac is not fooled, either...
44 posted on 10/30/2004 2:41:12 PM PDT by TXnMA
[ Post Reply | Private Reply | To 19 | View Replies]

To: Weirdad
Right click and choose "Open link in new window" or right click and shoose "OPen link in new tab"....

When you open links this way you defeat all of the protections built into Mozilla/Firefox. I suggest that you always left click on links, as the best way to defeat spoofing.

Personally, I use Camino at home, which is a Mozilla version tailored as a high-speed low-overhead Firefox for Mac OS X (not suggesting you or anyone switch). I don't use tabs for browsing at all, on the theory that the more I let the computer do for me, the less secure the browser is.

45 posted on 10/30/2004 2:45:52 PM PDT by jimtorr
[ Post Reply | Private Reply | To 40 | View Replies]

To: Weirdad
The standard approach does work, though, fortunately.

My problem with Opera is the advertising it displays in the upper right corner of the screen if not the paid version.

I have the current Opera (paid version) as well, but prefer using Firefox because I can recommend that without reservation.
46 posted on 10/30/2004 2:49:48 PM PDT by ScottM1968
[ Post Reply | Private Reply | To 40 | View Replies]

To: FreedomCalls
What's this "Internet Explorer", anyways?

Thanks to Mozilla, I no longer care about these kinds of stories.

47 posted on 10/30/2004 2:50:00 PM PDT by LincolnLover (Useless Vanities and Reposts--The Bane of an Admin Moderator's Existence!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: mhking

A real developer would've linked the image to the site lol


48 posted on 10/30/2004 3:06:22 PM PDT by tai-pan (media responsibility? ha!!)
[ Post Reply | Private Reply | To 17 | View Replies]

To: ScottM1968
I use the paid version of Opera. However I agree that Firefox is great and I use it on machines where I do not have Opera.

However, it remains really annoying how many web sites specifically demand Internet Explorer even when they would probably run with another browser. Several hospitals that I long into permit ONLY IE, and both my bank and credit card demand it. Even using another browser ID setting will not work.

One major very expensive software package I must use uses IE components within the application, and as a result is now "broken" by any upgrade to WinXP SP2. So I have to run a less secure OS just to use one megaexpensive app that makes the mistake of being very dependent on MS Software.

49 posted on 10/30/2004 3:15:25 PM PDT by Weirdad (A Free Republic, not a "democracy" (mob rule))
[ Post Reply | Private Reply | To 46 | View Replies]

To: FreedomCalls
From : Euro constitution signed, not sealed (666 one month trilogy; 2nd seal today)
Notice that the title underlines the opposite, which was also as they staged the cerimony.
But what else would you expect ?
That's part of the name of the beast, and it's part of the number of the beast and that's part of the mark of the beast.
50 posted on 10/30/2004 3:27:17 PM PDT by Truth666
[ Post Reply | Private Reply | To 1 | View Replies]

To: FreedomCalls; All
Help for viruses and malware:
 
 Ad-Aware ... Spybot ... Peper Uninstaller ... HijackThis... CWShredder ... Spyware Blaster ... IE Spyad ... Free online Virus scan ... AVG AntiVirus ... LSPfix ... How to Show Hidden Files ... How to boot into Safe Mode ... How did I get infected in the first place?


Things you need--(all FREE)
Anti-Virus
AVG
 Avast
Firewall
Kerio(Direct Download) Zone Alarm
 If are using zone alarm it may slow your PC. Try Outpost Firewall http://www.agnitum.com/products/outpost or Sygate Firewall http://www.sygate.com/, both have FREE and Pro versions and are heads above ZA.
Misc.
IE Spyads SpywareBlaster Spyware Guard
Windows Update- you must keep updated, it is the start of a secure system-
get all CRITICAL Updates

Things you want(Still Free)
 
 Get Firefox I use Firefox PR1 and IMHO, beats the sox off MS Explorer. Life is good with tabs. Click the link and give it a try.

Ad-Aware
Spybot S&D
SpywareBlaster
MS MVP Hosts file
Mike Lin's Homepage and get the Startup Control Panel and Startup Monitor tools.
 
The best forum for malware removal:
 http://forums.spywareinfo.com/index.php?s=262d844129208feb8b0cf5b0186a32f6&act=SC&c=4
SWI Forums--

51 posted on 10/30/2004 3:33:26 PM PDT by backhoe (Just an old Keyboard Cowboy, ridin' the Trackball into the Dawn of Information...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ScottM1968

Firefox freaking rules - I have been using it exclusively since I got it a month ago! Leaves MS Internet Explorer in the DUST!


52 posted on 10/30/2004 3:36:23 PM PDT by HitmanLV (I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered. My life is my own.)
[ Post Reply | Private Reply | To 3 | View Replies]

To: ScottM1968

Of course the first thing most smart IE users do if forced to use it is shut off unsigned AX and make signed work on a permission only basis.


53 posted on 10/30/2004 3:49:13 PM PDT by Fire_on_High (Why are you looking at me so funny? He's just a rat...)
[ Post Reply | Private Reply | To 36 | View Replies]

To: FreedomCalls

Gee, my IE works fine. Sure, the text says the link goes somewhere else, but when I hover over it, the status bar shows the correct URL and after navigation the address bar also shows the correct URL.

Not seeing what the issue is here...


54 posted on 10/30/2004 5:14:49 PM PDT by showpromid ("Want some wood?")
[ Post Reply | Private Reply | To 1 | View Replies]

To: showpromid
Gee, my IE works fine. Not seeing what the issue is here...

Did you RTFA? IE versions 6.0.2800 or less are affected. IE versions 6.0.2900 or later are not.

55 posted on 10/30/2004 5:28:49 PM PDT by FreedomCalls (It's the "Statue of Liberty," not the "Statue of Security.")
[ Post Reply | Private Reply | To 54 | View Replies]

To: FreedomCalls
Netcraft has developed a service to help banks and other financial organizations identify sites which may be trying to construct frauds, identity theft and phishing attacks by pretending to be the bank, or are implying that the site has a relationship with the bank when in fact there is none.

One financial institution I deal with allows users of its web site to set a "security phrase" which the Credit Union will include in all legitimate emails. So if you set your Security phrase to "FREEPERS RULE!" then any email you get which is supposedly from that financial institution that lacks those words is a phony.

The use of security phrase would not prevent someone from intercepting a real email to you and using it go generate a fake one. It would, however, stop a more common form of phishing which is to simply send out millions of phony emails without any degree of per-recipient interaction.

Given that such an approach is so simple, why don'y any of the "big" firms do it?

56 posted on 10/30/2004 6:16:50 PM PDT by supercat (If Kerry becomes President, nothing bad will happen for which he won't have an excuse.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: backhoe; All

Thanks!

Anyone know the best anti-spam software? Recently I've been getting a lot more than usual... to the point where I feel willing to pay money to stop it...


57 posted on 10/30/2004 6:21:02 PM PDT by k2blader (It is neither compassionate nor conservative to support the expansion of socialism.)
[ Post Reply | Private Reply | To 51 | View Replies]

To: k2blader
Okay, I don't understand what the table tag is for.

Consider this table and these addresses:
www.google.com www.dogpile.com
Adding some color will help clarify things. The table itself is a link to www.altavista.com. The table contains links to www.google.com and www.dogpile.com. When a link is contained within a link, there don't seem to be consistently-implemented rules about whether the second link should override the first. I don't know whether the HTML specifications explicitly say, but my guess is that the second link should apply. What happens, though, is that some pieces of code to "find" whether there's a link at a given screen position stop as soon as they find one, while others each until they find the most deeply nested.

By the way, on Firefox, the "normal" text in the table appears as black with a link-colored underline except for the word "table" for which I requested [font color=red] (it appears as red text which with a red underline) and the word "these" for which I requested underlining (it appears as black with black underline).

58 posted on 10/30/2004 6:31:15 PM PDT by supercat (If Kerry becomes President, nothing bad will happen for which he won't have an excuse.)
[ Post Reply | Private Reply | To 37 | View Replies]

To: JoJo Gunn
Firefox users:

There is an extension called SpoofStick that will display the real URL of whereever you're surfing.

For 1.0PR users.

59 posted on 10/30/2004 6:38:39 PM PDT by George Smiley (The only 180 that Kerry hasn't done is the one that would release ALL his military records.)
[ Post Reply | Private Reply | To 7 | View Replies]

To: JoJo Gunn

IE6 goes to kerry


60 posted on 10/30/2004 7:09:00 PM PDT by GregB (Broken Glass Republican!!!!!!!!)
[ Post Reply | Private Reply | To 12 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-73 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson