Feed Sign in with OpenID OpenID

Simon Willison’s Weblog

Nasty new IE vulnerability

Most people reading are probably aware of the common trick whereby spammers and other assorted ne’er-do-wells publish URLs with usernames that look like hostnames to fool people in to trusting a malicious site—for example, http://www.microsoft.com&session%123123123@simon.incutio.com. This trick is frequently used by spammers to steal people’s PayPal accounts, by tricking them in to “resetting” their password at a site owned by the spammer but disguised as PayPal.com.

Today’s new Internet Explorer vulnerability makes the problem a hundred times worse. By including an 0x01 character after the @ symbol in the fake URL, IE can be tricked in to not displaying the rest of the URL at all. Don’t expect a patch for a while either; the guy who discovered the bug released it to BugTraq on the same day he notified the vendor.

Posted 9th December 2003 at 7:21 pm

This is Nasty new IE vulnerability by Simon Willison, posted on 9th December 2003.

Tagged , , ,

View blog reactions

Next: Implementing filesystems in Python

Previous: YAGNI and DRY

23 comments

  1. And we now probably won't see an update for a month, thanks to Microsoft's new "only-release-patches-on-the-2nd-Tuesday-of-every- month" initiative.

    Amazingly, there were no patches released for December today

    Tom Gilder - 9th December 2003 19:52 - #

  2. Right during Xmas season, too. How many people are going to get their credit card numbers and passwords stolen I can't imagine. Everyone use open source webbrowsers such as Mozilla instead! Microsoft should be uh...what was I saying...liable......the green color on this site is hurting my eyes! Stop zucchini stop! Me brane iz meltn....Aaaahkazwibblegahwefahuh... 8p Just kidding

    Happy Mozilla User - 9th December 2003 20:35 - #

  3. At one time I'd have considered the behaviour of the chap who discovered and simultaneously publicised the exploit to be a bit irresponsible.

    However it's got to the stage where IE (and Outlook) in the hands of the average user (how often do your parents go to Windows Update?) is such a security disaster that it doesn't really matter any more.

    My parents mostly use Mozilla, but there's still far too many sites they want to go to that are so broken that they have to resort to using IE.

    Jim Hughes - 9th December 2003 20:52 - #

  4. This web page shows that the meaning of the acronym 'URL' is "Universal Republic of Love". While that is certainly a happy interpretation, I don't think it's quite the intended one here.

    Lao - 9th December 2003 22:16 - #

  5. Opera warns: "you are about to go to an address containing a username". Mozilla should have some equivalent because although: http://www.microsoft.com%01@zapthedingbat.com/secu rity/ex01/vun2.htm may seems like an obvious dupe to "web-saavy" users, I think that some people will get fooled by it.

    MikeyC - 10th December 2003 01:49 - #

  6. Why warn when you can escape? "http://www%2emicrosoft%2ecom@zapthedingbat.com/" is a safer than "http://www.microsoft.com@zapthedingbat.com/" plus a warning dialog.

    Jesse Ruderman - 10th December 2003 06:53 - #

  7. From what I can tell, the bug only appears if you load the page using javascript, not if you click on a link or paste an URL into the address field. It can still abused, of course, but you won't fool anyone by just publishing a fake URL somewhere.

    Fredrik Lundh - 10th December 2003 09:37 - #

  8. funny. as i was reading this my windows xp automatic update notified me that updates are ready to install!

    william - 10th December 2003 09:46 - #

  9. Perhaps username/password shouldn't be displayed in the address bar at all? Users would be forced to retype them if changing the URL, but that's not a great hardship and it's a feature only used legitimately by more technical users anyway. If I was building a browser I wouldn't be comfortable including a feature that makes it so easy to confuse users.

    As for the IE bug, well it's a bad one even by MS standards and I'm sure there are lots more yet to be found. I really should get round to switching my Windows box to Firebird, getting non-technical friends/relatives to do the same is another matter though ("but how can I get on the internet without Internet Explorer?"; "but we all use IE at work and our IT bloke knows about these things"; "Microsoft would never let millions of people use something if it was really that bad").

    Matt Round - 10th December 2003 09:51 - #

  10. ... and in the other security news of the week. Isn't the Net a cool place?

    Michael - 10th December 2003 13:58 - #

  11. Thanks for the link to the BEAST 2.05 TROJAN HORSE PROGRAM!!!

    I actually have BOClean 4.11 on my system but it insists on scanning my system every 10 seconds so configured it to scan once and shutdown...looks like I may have to make a deal with the software!

    Just as well that I don't use IE but I will be updating BOClean 4.11 when I get home from work just in case...all this MS Holes is making Security Administrators out of the rest of us. I long for those days when I could just use my PC but those days are long gone.

    Kayode Okeyode - 10th December 2003 14:51 - #

  12. You're welcome.

    There's a thread running on it at GRC Security. I don't know how much of your resources Kevin's program uses.

    As for the Trojan, I guess you have to download and run the thing anyway. Of course, one may not have intended to download some nasties. As Philip Brittan says on C|Net today:

    Attempts to make Web pages usable have led to a "fat browser" approach of embedded JavaScript, ActiveX controls, applets and Flash presentations that make the browser as insecure as desktop software.

    It's a problem.

    Michael - 10th December 2003 18:06 - #

  13. In reply to Fredrik Lundh, it does work with just a simple link: Portal page :)

    Matthew - 10th December 2003 18:30 - #

  14. There's a thread running on it at GRC Security. I don't know how much of your resources Kevin's program uses.

    I am already subscribed to GRC Security but cannot access it from work; I am home now and I have just seen the link posted by Kevin

    This may also interest you:

    Microsoft was awarded on Tuesday a patent by the US Patents and Trademarks Office on writing Windows applications in HTML, so making it possible to bypass the built-in security that browsers offer.

    Source is http://news.zdnet.co.uk/software/developer/0,39020 387,39118430,00.htm

    Kayode Okeyode - 10th December 2003 19:48 - #

  15. Strange, the article says that HTA's (HTML Applications) are new... I was coding HTA's at least four years ago, and I don't think I was one fo the first. I wonder why it's taken so long for the patent to come through.

    Chris O'Brien - 10th December 2003 21:16 - #

  16. I am not familiar with the history of HTA but there has been issues in the past regarding HTA which were debunked as "FUD"; perhaps that's why the patent took too long to come through ;)

    Anyway, here are my collections of the HTA stuff gleaned from a thread in GRC in July if you wish to wade through them:

    Kayode Okeyode - 10th December 2003 22:16 - #

  17. Simon, Have you noticed what happens when you put http://0x01Simon.Incutio.com ??? it takes you to your sites configuration page???

    Jim - 11th December 2003 01:00 - #

  18. If you display the File.Properties dialog for that page, you can see the full URL.

    Johnny Lee - 11th December 2003 18:19 - #

  19. Did you see SG's take on that Kayode?

    As I read it, this just means ... that rather than having LOCAL applications using only the standard Windows GUI, they would now be able to use an HTML rendering window augmented by Windows-like controls. So it's just another way for an application author to create an application. Since the implication is that this is for LOCAL (not trans-Internet) use, it's really no more or less secure than normal Windows applications which can already do anything they want with the user's local machine and have always been implicitly trusted not to do anything malicious.

    Michael - 11th December 2003 19:33 - #

  20. Yes I did; you beat me to the punch!

    He must have read up on it since the 84-thread debacle back in July!!

    Kayode Okeyode - 11th December 2003 19:52 - #

  21. I just stumbled on to this article while I was doing some research on this new IE bug:

    Small Software Company cleans Microsofts own mess

    Following an announcement from Microsoft that it would not be issuing December security patches under their new monthly release cycle, a small software company, Opensoft Corporation of Vanuatu, has released a security patch to mend a new Internet Explorer vulnerability that could be used by hackers and con-artists for on-line fraud.

    The bug, which carries a highly critical rating according to security alerts by BugTraq and Opensoft, could be used to display false Web address on fake sites, and is the second major vulnerability in the worlds most popular Web browser that remains unpatched.

    The public release of proof-of-concept exploits before fixes are issued underscores the nightmares Microsoft face in its all-out effort to improve its patch management process. But in a bizarre twist of events, an interim security patch to the flaw was released today by an independent software company.

    Publicly, Microsoft isn't saying why it decided against releasing patches. On the TechNet repository, the company said simply that if the need arises for emergency patches, they will be issued outside the monthly releases.

    A Microsoft company official told internetnews.com security fixes were in development but problems during the testing phase pushed back the release date. The source could not say if a cumulative patch for Internet Explorer was part of the tests and left the door open to an emergency release of an IE patch before the second Tuesday in January, the next scheduled release date.

    As Microsoft struggle to cope with the patch management headache, researchers say the latest IE flaw was detected in the way the browser displays URLs in the address bar. A test exploit using microsoft.com and paypal.com domains were made public, showing that a specially crafted URL can be used by an attacker to spoof Web addresses.

    Malicious hackers frequently lure unsuspecting surfers to convincing replicas of e-commerce sites such as PayPal, where they're tricked into handing over sensitive information, including credit card and social security numbers. This method is said to be a key tool in credit card and identity theft.

    Savvy Web surfers often figure out the ruse from irregularities in the Web address. But in the method described and demonstrated by Opensoft, IE could allow the address bar for the spoofed PayPal site, for example, to read "PayPal.com."

    An Opensoft spokesperson commented on the story saying it is not our intention to embarrass Microsoft in anyway; we just wanted to provide a temporary solution for the vulnerability, especially since it is the Holidays; a time when millions of e-shoppers are most susceptible to this type of exploit.

    An example of the new IE vulnerability, including its detailed description and interim security patch and its source code are all available to the general public at http://security.openwares.org

    LOL! Microsoft should use this patch in their next windows update ;)

    Micheal - 17th December 2003 15:08 - #

  22. This "patch" is a fraud, it's OpenWares that should be embarassed. Go ahead install it, then use Ad-Aware. http://www.heise.de/security/news/meldung/43084 http://www.theregister.co.uk/content/55/34618.html I wonder how many people were fooled?

    Maciek - 20th December 2003 06:00 - #

  23. that what i was looking for. have nice day <a href="http://www.milfshunter.net">MIlf hunter</a> and <a href=http://www.milfshunter.net>milf hunter</a> http://www.milfshunter.net

    milf hunter - 11th October 2004 09:22 - #

Comments are closed.

Previously hosted at http://simon.incutio.com/archive/2003/12/09/nastyBug

A django site