Non-Microsoft Browsers Have Spoofing Flaw

Netcraft ^ | 2/7/2005 | Netcraft

[KwasiOwusu]

All non-Microsoft browers include a flaw that allows URL spoofing using Unicode characters, which can be exploited by phishing scams seeking to steal login information for online banking accounts. The spoofing flaw, which is demonstrated on the web site of the Shmoo Group, works in the Firefox, Mozilla and Opera browsers, as well as the Safari browser for Macs.
The spoof exploits flaws in how the browsers interpret Unicode characters. A link using Unicode characters to replace the letter "a" in "Paypal" will display as www.paypal.com in the browser, but send users to www.xn--pypal-4ve.com - which then displays "www.paypal.com" in its address bar. A similar spoof works on SSL-enabled URLs (https) commonly used on banking and e-commerce sites.

Unicode is a broader character set that includes non-English characters as well as symbols, which is being used on the Internet to support Internationalized Domain Names (IDN). The affected browsers support IDN, while Microsoft's Internet Explorer does not.

[Doohickey]

Don't be absurd. Hundreds of companies, like mine, run tens of thousands of Windows XP desktops. Suggesting a desktop rollout is a flop because of the operating system is asinine.

[Hank Rearden]

Double click on it; it will change to false.

Or right-click, then select Toggle. Other right-click options are available as well.

[Uncle Fud]

If only the default ActiveX setting in IE had been "Off" the malware problem would probably be about 20% (or less) its current size.

[N3WBI3]

There is a difference between ActiveX and this setting. Active X is a major component of ie, this setting is nothing. That being said, this is an issue they need to look into, maybe they need to color the address bar when a site is using International URL's

[KwasiOwusu]

"how many guys are going to go to the police complaining they got ripped off/scammed by a porn site? People simply don't do it,"

Thousands of people report porn sites to the FBI and the police all the time.
That is how lots of porn sites managed to get themselves convicted of fraud and other Internet crimes.
Buying porn these days is done by all kinds of people from all walks of life, even including women.
Plus some of the guys who buy porn don't have much of a reputation to worry about anyway.

[shellshocked]

Just more anti-Micros....waitaminut, this looks like someone else screwed up!

[thoughtomator]

These guys can just run their sites from overseas, and the worst that can be done to them is to have their site shut down for a brief time.

[PAR35]

The attack can be disabled in Firefox and Mozilla by setting 'network.enableIDN' to false in the browser's configuration

That appears to be the default setting in Mozilla.

[KwasiOwusu]

"Microsoft must have a lot of excess cash if they can afford to pay people to prop up that POS. Guess it's still cheaper than delivering a tight, efficient, competitive browser."

Tell that to the Firefox clowns. Looks like they badly need that piece of advice.


"Firefox Rocks, as usual"

Firefox rocks like Saddam Hussein in that foxhole.
And that is exactly where the crappy Firefox is headed to: A foxhole.
FireFOX to FOXhole. Get it? :)

[Lx]

Thanks! You learn something new everyday. I love Firefox!

[KwasiOwusu]

"It does not work on Linux...."

Doesn't work on the Apple Mac, written by CRAPPLE.
Still got nothing to do with Microsoft.

[ThinkDifferent]

So, it stays set to FALSE, but after a program restart. . . it no longer works. It only works from the time I toggle until I restart....is that what you are getting?

Yep, and that actually is a Firefox bug. The original problem isn't a bug as such, since the browser is interpreting and displaying the Unicode characters correctly. It's a design flaw of IDN that it didn't consider spoofing attacks using characters that look similar to ASCII.

[lainie]

Heh heh, the funniest part is that the only reason IE isn't vulnerable is because it doesn't support the standard.

[chilepepper]

i didn't claim their roll-out was a flop *because of* the choice of OS, merely that their flopped system was Windows XP based.

the incident where their "commercial net" (based on outlook) however, *does* qualify...

[ThinkDifferent]

Doesn't work on the Apple Mac, written by CRAPPLE.

So are you 12, or just really bored?

[N3WBI3]

Than windows and OSX may have problems with their API, or the Standard itself needs to be rewritten. if Explorer is given a plugin to allow for international URL's it is also vulnerable..

[Mannaggia l'America]

If only the default ActiveX setting in IE had been "Off" the malware problem would probably be about 20% (or less) its current size.

And if only people wouldn't have written the malware...

Some ActiveX controls are useful. But also a big problem is users clicking "Yes" to everything, including the warning screens that display.

[KwasiOwusu]

"These guys can just run their sites from overseas, and the worst that can be done to them is to have their site shut down for a brief time."

You'll find that a very high percentage of porn sites are operated right here in America, especially all those "naked housewives" and stuff like that.
Its a simple matter of following the money for the FBI. They gotta get their money somehow, mostly through credit card transactions.
Plus these days, even if you put your host server in Europe, Russia, Japan or even China, the FBI is still gonna get ya.

[KwasiOwusu]

"So are you 12, or just really bored?"

Repeat:
"Doesn't work on the Apple Mac, written by CRAPPLE"
That clear enough for you yet?

[cinives]

Exactly - so no one should click on any link in an email. I never do, even if I know the person the email is from, because I cannot be sure it wasn't email generated by a virus.