Posted on 02/08/2005 2:05:36 PM PST by Syntyr
Experts: International domain names may pose threat
The new trick is a variation of the 'homograph attack'
The new trick is a variation of a known technique called the "homograph attack" and takes advantage of loopholes in the way some popular Web browsers display domain names that use non-English characters. It could allow malicious hackers and online identity-theft groups to trick unsuspecting users into divulging sensitive personal information, according to an advisory from The Shmoo Group, a hacker collective, and from Secunia.
snip
For example, attackers could register a Web domain "bloomberg.com," which looks identical to the popular business news Web site, but in which the letters "o" and "e" have been substituted with identical-looking substitutes from the Cyrillic alphabet, used in the Russian language, creating a new domain, the authors said (download PDF). In another example, the authors registered the domain www.microsoft.com, in which the English letters "c" and "o" in that domain were substituted with their Cyrillic counterparts
snip
Some popular Web browsers, including The Mozilla Foundation's Firefox 1.0, Apple Computer Inc.'s Safari Version 1.2.5 and Opera Software ASA's Version 7.54 browser, all render the IDN characters in a way that could be used in an attack, according to details released by The Shmoo Group.
Ironically, Microsoft Corp.'s Internet Explorer browser, a popular target for Web-based attacks, isn't vulnerable to the IDN homograph attack, The Shmoo Group said.
snip
FireFox supports IDN by default, but users can disable it by typing "about:config" into the browser's address bar, locating the network.enableIDN option and double-clicking on it to set it to "false."
(Excerpt) Read more at computerworld.com ...
I read about this yesterday and already did the about:config fix in about 3 seconds.
Compare that to Microsoft, there would be 2 weeks of denial, followed by an announcement that a patch would be available in three weeks.
Once the patch is released, there would be 3 new security holes opened by the new patch.
Hot on the heels of Monday's disclosure of spoofing vulnerabilities in most non-Internet Explorer browsers, a security researcher Tuesday unveiled another trio of bugs in Firefox and its Mozilla cousin.
The flaws, all of which involve some user action, can be used by hackers to drop code onto a PC, muck with the about:config element of the browser, or steal cookies that, for instance, provide instant access to protected Web sites.
"If you create a hybrid of a .gif image and a batch file you can trick Firefox," claimed the German researcher identified only as "mikx" by Danish security firm Secunia, in his original warning of one of the bugs.
"Since the hybrid renders as a valid image, Firefox tries to copy the image to the desktop when dropped. By creating the image dynamically and forcing the content type image/gif, the file can be of any extension (e.g. image.bat or image.exe). Since Windows hides known file extensions by default, a user can only tell that something went wrong by looking at the file icon, which is different of course. If the user does not care or know what this different icon means, a double click to view or edit the "image" he just dropped executes the batch file instead."
The vulnerabilities have been confirmed in Firefox 1.0 and Mozilla 1.7.5, the most current editions of the open-source browser and browser suite, respectively.
While Mozilla Foundation developers have implemented fixes, they haven't been rolled into a patch or a new version that can be downloaded and used without recompiling the code.
Is it remotely consistent with the principles of business "dirty pool" that those with something to gain by the failure of Firefox, Linux, etc. are related to this?
E.g. could some hackers be receiving payment to try to disrupt the more popular open-source desktop apps?
[Full Disclosure : Fortran and vi forever! ]
FireFox supports IDN by default, but users can disable it by typing "about:config" into the browser's address bar, locating the network.enableIDN option and double-clicking on it to set it to "false."
Quite possible.
Even some major pc virus software co's have been suspected of developing certain virii so they can sell more of their software.
Possible? Between ethics and dollars, which would business choose?
Pretty predictable: as other browsers become more popular, it becomes more worthwhile to invent viruses to exploit them.
You mean, similar to the folks who write viruses because they hate Microsoft? Sure, it's possible.
But I think it's more likely to be infantile bastards who've found a new place to play.
Bingo. We have a winner.
interesting but not really virulent or dangerous. If someone wanted to
pretend to be C1tybank or Paypa1 then it would be a problem I guess, but
you'd have to be in idiot to respond to an email link to get to your bank or
other password locked accounts. And the only way they can get you to go to
these fake sites is to send you a fake site URL in the mail. The moral is
don't click on any links in emails, ever, unless its from someone you know.
-g
Ah, wreckless youth!
You didn't give FORTRAN all caps.
fFl6~
You didn't give FORTRAN all caps.
Yeah well, vi is case insensitive (you can type in anything you want), even if UNIX ain't (COUNTER and counter are different to the kernel)...
Ahhh the days of FORTAN, COBOL and Pascal...
I used to have a cat named FORTRAN but thats another story!
Do you remember Assembler...
main:
pushl %ebp
movl %esp,%ebp
movb hi_temp,%al
addb lo_temp,%al
movb $0,%ah
adcb $0,%ah
movb $2,%bl
idivb %bl
movb %al,av_temp
leave
ret
Still use it. Even NOP commands...
I laugh at this. Safari & Firefox are working as they're supposed to and automatically supporting foreign alphabets.
Because IE is so brain-dead and multi-lingual hostile, the legitimate characters probably show up as junk. Does anyone know if IE that is "immune" includes IE for Mac OS X? I'd hazard a guess that it does not.
Thank you for this tip for Firefox.
Clearly the false and misleading BUG BUG BUG BUG BUG BUG is sensationalist dung out of the intestines of Microsoft lovers and Gates' worshipers. It makes me SICK!
It's possible people are being paid to release exploits for Linux, but right now there's zero proof of it. This particular list seems to have come from a convention of hackers. But what we DO know is that people in China and Europe that work for so called security firms like X-Focus are constantly open sourcing exploit code to the internet for newly found vulnerabilities before even alerting Microsoft and allowing them the chance to develop patches. And, open source leaders like Linus Torvalds are on record saying they approve of the methodology. Draw your own conclusions, but looks to me like you're ignoring the elephant already in the room.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.