| At Large Membership and Civil Society Participation in ICANN |
|
|
|
|
|
MicroSoft Closes Browser Phishing Hole
posted by michael on Tuesday February 03 2004, @04:49AM
fnord writes "MicroSoft has released a patch for their Internet Explorer web browser to close a URL line exploit that mislead users as to which website they would reach by following a given domain name address. Scammers and others would send email (often in bulk) or by other methods (EG: Usenet postings) that contained obfuscated URLs of the form: http://icann.org@icannwatch.org which would somewhat counter-intuitively send the recipient to the rightmost address in the URL. You can give it a try if you have IExplorer (note that if you are already logged in it might forget that). Most other browsers no longer support such a 'feature'. While MicroSoft spins this as timely (even breaking from their normal monthly release schedule), the technique, called spoofing or phishing, was already well known and being (mis)used long before I reported on it here over two years ago."
|
|
 |
 |
"In MicroSoft's defense this was originally a 'feature' meant to contain UserID info, but like so much of the internet these days, not everyone still plays nice. MicroSoft was also slow to implement this as it will cause a number of sites to either be unreachable or have to change, as MicroSoft's suggested workarounds make clear. And perhaps it is because a couple of additional wrinkles have more recently come to light. One makes the URL line look like the real thing, and another makes use of a popup above the real site. The patch also guards against sites being able to download malicious code to recipient machines (this is far from the first fix for that, and it likely won't be the last). With MyDoom currently richocheting around the net, it isn't beyond the realm of possibility that someone could use phishing to appear to be oh...say MicroSoft (it wouldn't be the first time) in bulk email about oh...say a security update, download code turning recipient machines into zombies, and then using something like oh...say a DRDos attack on oh...say the root servers, knocking them off is surely the unholy grail of those who don't play nice. One further sobering thought. I am often asked to work on Windoze machines and I doubt one in ten users ever does a Windows Update or installs patches or service packs, most don't even know they exist. With Microsoft's Internet Explorer being the browser used by about 95% of those online, that could still make for a lot of zombies. -g"
|
|
 |
 |
|
|
|
[ Don't have an account yet? Please create one. It's not required, but as a registered user you can customize the site, post comments with your name, and accumulate reputation points ("karma") that will make your comments more visible. ]
|
|
| |
|
This discussion has been archived.
No new comments can be posted.
|
MicroSoft Closes Browser Phishing Hole
|
Log in/Create an Account
| Top
| 7 comments
|
Search Discussion
|
|
The Fine Print:
The following comments are owned by whoever posted them.
We are not responsible for them in any way.
|
|
 |
Oops, the phishing link in the second paragraph should have pointed to anti-phishing.org [anti-phishing.org]. It was a mistake I missed during checking, in that instance there was no intent to deceive. And note that if you have your ICANNWatch prefs set to show the actual root domain name of a link following that link, a la SlashDot, as in: example.com/page.htm [example.com] the code is smart enough to show the actual destination, not the apparent one, that is, the link: http://icann.org@www.icannwatch.org/ [icannwatch.org] should be followed by [icannwatch.org]. Perhaps such a function could be added to email clients to unobfuscate incoming email. Of course MicroSoft's email clients would never have it because it will no longer be seen as necessary, and if they did decide to add such functionality it would probably take a few years. -g
|
|
|
[ Reply to This | Parent
]
|
| |
|
 |
The Mozilla browser actually still supports that syntax, at least in the version I'm using.
|
|
|
[ Reply to This | Parent
]
|
| - Re:Mozilla
by fnord
Tuesday February 03 2004, @09:09AM
|
|
 |
But the syntax
http://user:password@site is allowed in the URI specification RFC (rfc2396).
The problem with IExplorer was that certain character inside the URL (hidden right after the '@' sign) causes that explorer doesn't showed the rest or the url, even in the address bar or the body of a mail message !! So, the crackers could use that character to hide the real server.
Hugo
|
|
|
[ Reply to This | Parent
]
|
| |

Privacy Policy: We will not knowingly give out your personal data -- other than identifying your postings in the way you direct by setting your configuration options -- without a court order. All logos and trademarks in this site are property of their
respective owner. The comments are property of their posters, all the rest © 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 by ICANNWatch.Org. This web site was made with Slashcode, a web portal system written in perl. Slashcode is Free Software released under the GNU/GPL license.
You can syndicate our headlines in .rdf, .rss, or .xml. Domain registration services donated by DomainRegistry.com
|