All Browsers But IE At Risk To New Spoofing Scheme (article)

  • Thread starter Thread starter jeffrey
  • Start date Start date
jeffrey said:
Hi,

Don`t know if anyone has seen this, but you can check it out on
Techweb at this link
http://www.techweb.com/wire/security/59301618

Jeff

Yeah, IE doesn't display the spoofed page, but it does show the url of the spoof page in the address bar.

And when you use Copy Shortcut on the link in IE, it pastes as the spoof addresses instead of the actual url as it is written in the html source file.

Ex.

A spoofed address for Paypal is written as <a href="http://www.paypаl.com/"> in the html file, but when you use Copy Shortcut on the link in the displaying web in IE and paste the shortcut elsewhere, it shows as http://www.paypal.com.

Paypal

Use Copy Shortcut on the Paypal link above. When you paste it, it will paste as http://www.paypal.com, and not as http://www.paypаl.com/ as it is written in the html source.

Again, IE won't show a will show and error page instead of a spoofed one, but Windows will paste the spoofed address, instead of the REAL address that is written in the html source, so something is still smells a little rotten in Redmond.

--
Peace!
Kurt
Self-anointed Moderator
microscum.pubic.windowsexp.gonorrhea
http://microscum.com
"Trustworthy Computing" is only another example of an Oxymoron!
"Produkt-Aktivierung macht frei"
 
Hi,

Not everything can smell like roses (LOL)

Jeff

jeffrey said:
Hi,

Don`t know if anyone has seen this, but you can check it out on
Techweb at this link
http://www.techweb.com/wire/security/59301618

Jeff

Yeah, IE doesn't display the spoofed page, but it does show the url of the
spoof page in the address bar.

And when you use Copy Shortcut on the link in IE, it pastes as the spoof
addresses instead of the actual url as it is written in the html source
file.

Ex.

A spoofed address for Paypal is written as <a
href="http://www.paypаl.com/"> in the html file, but when you use Copy
Shortcut on the link in the displaying web in IE and paste the shortcut
elsewhere, it shows as http://www.paypal.com.

Paypal

Use Copy Shortcut on the Paypal link above. When you paste it, it will
paste as http://www.paypal.com, and not as http://www.paypаl.com/ as
it is written in the html source.

Again, IE won't show a will show and error page instead of a spoofed one,
but Windows will paste the spoofed address, instead of the REAL address that
is written in the html source, so something is still smells a little rotten
in Redmond.

--
Peace!
Kurt
Self-anointed Moderator
microscum.pubic.windowsexp.gonorrhea
http://microscum.com
"Trustworthy Computing" is only another example of an Oxymoron!
"Produkt-Aktivierung macht frei"
 
This shows that, to a large extent, exploits based on IE and Windows
are more a function of critical mass of technically unsophisticated
end users rather than inherent insecurity.

Most server exploits I see see (anonymous spam, phish sites) seem to
be based on PHP software running on Apache running on *nix.

(In particular, the withdrawn mailing module of PHP Nuke is a favorite
of 419 and phish spammers. Do a groups.google.com lookup of "RLSP
Mailer".)
 
Marc said:
You can find a FULL LIST of the non-Microsoft browsers hit by this
serious vulnerability here:

http://www.verisign.com/products-se...alized-domain-names/page_002201.html#01000002

Regards

Marc Liron
Microsoft MVP
www.updatexp.com
www.podcasting-101.com


This can be worked around in Mozilla Firefox by disabling IDN support.
To do this, you will have to edit compreg.dat, which is located in your
Firefox profile directory:

c:\Documents and Settings\[User Name]\Application
Data\Mozilla\Firefox\Profiles\[ramdom].default\compreg.dat

First make a backup copy of compreg.dat, and then open this file with a
text editor, which understands the line endings in it, such as Wordpad,
and comment out all lines containing IDN by adding "#" at the start of
the line.

Example:

#
{4byteshex-2byteshex-2byteshex-2byteshex-6byteshex},@mozilla.org/network/idn-service;1,,nsIDNService,rel:libnecko.so

Repeat for all lines containing "IDN." Save and exit out of your text
editor, and then set the compreg.dat file as read only. Don't install
any new extentions for Firefox until the Mozilla development team issues
and fix for the IDN spoofing problem.

Go to http://secunia.com/multiple_browsers_idn_spoofing_test/ to test if
the work around was successful.

--
Peace!
Kurt
Self-anointed Moderator
microscum.pubic.windowsexp.gonorrhea
http://microscum.com
"Trustworthy Computing" is only another example of an Oxymoron!
"Produkt-Aktivierung macht frei"
 
Stan said:
in microsoft.public.windowsxp.general:

It lists Mozilla, but in a quick test Mozilla was not fooled -- as
I posted yesterday.
I'm using Mozilla 1.7.5 and it WAS fooled.
 
David said:
I'm using Mozilla 1.7.5 and it WAS fooled.

So, have you disabled the IDN yet?

--
Peace!
Kurt
Self-anointed Moderator
microscum.pubic.windowsexp.gonorrhea
http://microscum.com
"Trustworthy Computing" is only another example of an Oxymoron!
"Produkt-Aktivierung macht frei"
 
I'm using Mozilla 1.7.5 and it WAS fooled.

I'm using FireFox 1.0 on Linux and it was vulnerable, but I would rather
have that one limited exposure than all the ones present in an unsecured
IE.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Back
Top