Posted on 12/17/2004 7:03:17 AM PST by holymoly
Even SP2 versions of Microsoft's Internet Explorer are vulnerable to a spoofing exploit published yesterday.
A vulnerability researcher posted details of a dangerous Internet Explorer (IE) flaw on Thursday that allows phishers to spoof Web sites more realistically than ever before.
According to security company Secunia, Paul from Greyhats -- a research group -- has published details of a vulnerability that can be exploited to spoof the content of any Web site.
Using the exploit, scammers are able to manipulate all versions of IE, including Windows XP SP2 -- the latest and most secure version of the browser -- and spoof the URL and SSL signature padlock located at the bottom of the browser screen.
The vulnerability is caused by a cross-site scripting vulnerability in the DHTML Edit ActiveX control, but because the flaw is within the browser, it can be used against any Web site, Secunia said.
"That is huge," said Thomas Kristensen, chief technology officer for Secunia. "When you cross-site script a Web site, the user can’t see that anything unusual is happening. The URL looks like it's a legitimate site and if you go to the SSL padlock, it will show a certificate for the site even though it is controlled by malicious scripting."
"The malicious Web site can control what is seen in the address bar. People still don't realise the significant impact of cross-site scripting. This is the vulnerability that phishers and scammers have been looking for. You could also steal cookies from any Web site," Kristensen warned.
"The most likely outcome is a phishing email, where users click on a link, then open the browser. They then briefly see the URL of the malicious Web site, and then see the scam Web site," Kristensen added.
Nick McGrath, Microsoft's security spokesman, and the Microsoft UK security team was unavailable to comment at the time of writing because they are in the United States. The company has previously frowned upon researchers who have posted exploits without letting it know first.
Kristensen said he was unsure why Paul chose to publish the exploit before informing Microsoft. Secunia has developed an exploit test on its Web site which is available for download.
Secunia has labelled the vulnerability as "moderately critical" because people cannot use it to access systems.
If you have Pivx's Qwik Fix software installed, you're protected against this exploit - one for which Microsoft has yet to release a patch.
bump
Very useful info. Thanks!
Opera vote ping
Makes one wonder how the 4.5 MB Firefox is so much more secure than the gargantuan 25 MB IE. It's not a flaw! It's a feature don't you know!! LOL!!! Death to IE!
Avant
Fastbrowser
Maxthon
and several others use the IE engine.
I have used Fastbrowser for several years because it was one of the first tabbed browsers (nice for FR viewing) and it had built-in speech (again, nice for FR, especially for long news articles).
FireFox has both, now--tabs and speech. I am using it occasionally, trying to get used to it. If you want speech on FireFox, check out the extension, FoxyVoice. It requires the MS speech engine, which is available free from this link:
http://www.tucows.com/adnload/193770_87093.html
Another reason to dump IE and use Firefox!
I've pretty much given up IE.
bwhahaha what an aweful week for Microsoft, first *wordpad* and now this... Here come the MS guys to tell us that they are just as structurally secure and anyoneone else..
Prevx Home is an intrusion prevention software, and it is free for home use.
I'm not sure about this particular security issue, but I've been running Prevx for a few weeks. It alerts to any significant changes to exe's and the registry.
Check it out---it is free and is not a trial or time-limited version.
http://www.prevx.com/prevxhome.asp
How does this affect us AOL users....
Wise decision. I just stumbled across this:
Firefox is hot; Thunderbird's not — for good reason
"This week, Microsoft announced five new security flaws in IE, bringing the total this year to 45 — or about 43 more than many people consider tolerable. And last week, Penn State University implored its 80,000-plus students and faculty to stop using IE purely for security's sake."
I knew there were many, many bugs & flaws discovered in IE this year, but I had no idea the number was this high.
Opera still has free version--but it comes with ads.
Phishers are constantly out there.
I get at least three-five ebay or paypal phisher email a week, I believe. I even get some from companies I have no account with. I used to turn them all in. Now I just delete them.
But after awhile, you begin to recognize the scripts, like with the "help the nigerian whatever get money out of the country scam" Someone's with an out of country IP has been using your account. Sometimes you get a message like a very large purchase was made with your account, and you get an oportunity to cancel if you go to this link. Saw a new one last week for paypal...email informing you that a new email address had been added to your account. If you want to verify it, just click here (and they were using an exploit that made it look like the URL was legit). Being an old hand at this, I went directly on another page to PP, and lo and behold, nothing of the kind had happened.
Phishers are evil and should be burned at the stake.
I only use IE for the rare page that won't work with anything else. I like mozilla products, myself. Been using netscape/mozilla since netscape 1. Never did use IE much, and every day means I want to use it less and less. Besides all the bugs, it's ancient technology.
Of course, if today most internet users all switched to Browser X, within a week Browser X would be the one getting all the hackings and viruses and trojans and worms.
The havoc creators are going for the most popular one -- biggest bang for their buck, so to speak.
Gosh, I'm sure glad the Dept of Commerce is enforcing the anti-bundling laws so every Windows user doesn't have this huge security hole installed on their... oh, wait. Nevermind.
Thanks for the info on the spoofstick extension-- just downloaded it.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.