saint_monkey (![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
saint_monkey) wrote2004-01-23 06:47 pm
saint_monkey) wrote2004-01-23 06:47 pm
Entry tags:
please be careful
thanks to didymos for posting this on his journal... i wouldn't normally re-post, but i've started seeing this A LOT at work, in ever more sophisticated variations, and i think that the problem will only grow.
what this boils down to: someone can send you an email message that includes a link to a website that you know and trust. when you click the link, you appear to go to that website, but you are actually visiting a third party site. anything you do believing you are at the user's site (like enter your account id and password, your credit card number, bank account number, etc...) will actually GO to the hacker... not good. (a patch is available at the site below)
from http://security.openwares.org/:
Internet Explorer URL Spoofing Vulnerability
Release Date: 2003-12-10
Last Update: 2003-12-27
Critical: Highly critical
Impact: ID Spoofing
Where: From remote
Software: Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6
Description:
A vulnerability has been identified in Internet Explorer, which can be exploited by malicious people to display a fake URL in the address and status bars.
The vulnerability is caused due to an input validation error, which can be exploited by including the "%01" and "%00" URL encoded representations after the username and right before the "@" character in an URL.
Successful exploitation allows a malicious person to display an arbitrary FQDN (Fully Qualified Domain Name) in the address and status bars, which is different from the actual location of the page.
This can be exploited to trick users into divulging sensitive information or download and execute malware on their systems, because they trust the faked domain in the two bars.
Example displaying only "http://www.trusted_site.com" in the two bars when the real domain is "malicious_site.com":
http://www.trusted_site.com%01%00@malicious_site.com/malicious.html
The vulnerability has been confirmed in version 6.0, and version 5.x is also affected according to Microsoft's knowledge base article.
Solution:
Click on the following link to download and install the IE URL Spoofing Vulnerability Patch.
Download now
Reported by / credits:
Originally discovered by:
Zap The Dingbat
Status bar variant reported by:
Chris Hall
Changelog:
2003-12-11: Linked to test. Added information regarding variant, which makes it possible to spoof URL in the status bar as well.
2003-12-14: Microsoft has issued a knowledge base article concerning the issue. This also reports that version 5.x is affected.
2003-12-14: Released IEpatch to fix URL Spoofing Vulnerability.
2003-12-20: Released revised IEpatch version 2.0. Fixed all known errors.
2003-12-27: Released final revised version 3.0, which redirects blocked pages to a local file.
Other References:
Microsoft Knowledge Base Article - 833786:
http://support.microsoft.com/?id=833786
didymos for posting this on his journal... i wouldn't normally re-post, but i've started seeing this A LOT at work, in ever more sophisticated variations, and i think that the problem will only grow.what this boils down to: someone can send you an email message that includes a link to a website that you know and trust. when you click the link, you appear to go to that website, but you are actually visiting a third party site. anything you do believing you are at the user's site (like enter your account id and password, your credit card number, bank account number, etc...) will actually GO to the hacker... not good. (a patch is available at the site below)
from http://security.openwares.org/:
Internet Explorer URL Spoofing Vulnerability
Release Date: 2003-12-10
Last Update: 2003-12-27
Critical: Highly critical
Impact: ID Spoofing
Where: From remote
Software: Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6
Description:
A vulnerability has been identified in Internet Explorer, which can be exploited by malicious people to display a fake URL in the address and status bars.
The vulnerability is caused due to an input validation error, which can be exploited by including the "%01" and "%00" URL encoded representations after the username and right before the "@" character in an URL.
Successful exploitation allows a malicious person to display an arbitrary FQDN (Fully Qualified Domain Name) in the address and status bars, which is different from the actual location of the page.
This can be exploited to trick users into divulging sensitive information or download and execute malware on their systems, because they trust the faked domain in the two bars.
Example displaying only "http://www.trusted_site.com" in the two bars when the real domain is "malicious_site.com":
http://www.trusted_site.com%01%00@malicious_site.com/malicious.html
The vulnerability has been confirmed in version 6.0, and version 5.x is also affected according to Microsoft's knowledge base article.
Solution:
Click on the following link to download and install the IE URL Spoofing Vulnerability Patch.
Download now
Reported by / credits:
Originally discovered by:
Zap The Dingbat
Status bar variant reported by:
Chris Hall
Changelog:
2003-12-11: Linked to test. Added information regarding variant, which makes it possible to spoof URL in the status bar as well.
2003-12-14: Microsoft has issued a knowledge base article concerning the issue. This also reports that version 5.x is affected.
2003-12-14: Released IEpatch to fix URL Spoofing Vulnerability.
2003-12-20: Released revised IEpatch version 2.0. Fixed all known errors.
2003-12-27: Released final revised version 3.0, which redirects blocked pages to a local file.
Other References:
Microsoft Knowledge Base Article - 833786:
http://support.microsoft.com/?id=833786