new ie exploit

Discussion in 'Windows Desktop Systems' started by Perris Calderon, Dec 23, 2003.

  1. Perris Calderon

    Perris Calderon Moderator Staff Member Political User

    Messages:
    12,332
    Location:
    new york
    click the link below

    this is a service, it does not take advantage of the exploit, it demonstrates it

    http://www.voiceofthepublic.com/test/test3a.html

    if you try it, and are wondering how it's done, it adds a charachter that's not rendered in your fonts, but you can see it properties....also you can see the true address if you use mozilla.

    mocrosoft is on it allready here;

    http://support.microsoft.com/?id=833786

    I'll post the text in the next panel so oyu don't have to click the link
     
  2. Perris Calderon

    Perris Calderon Moderator Staff Member Political User

    Messages:
    12,332
    Location:
    new york
    from the microsoft knowledge center, and a paste from the link I posted above

    Steps that you can take to help identify and to help protect yourself from deceptive (spoofed) Web sites and malicious hyperlinks
    View products that this article applies to.
    SUMMARY
    When you point to a hyperlink in Microsoft Internet Explorer, Microsoft Outlook Express, or Microsoft Outlook, the address of the Web site typically appears in the Status bar at the bottom of the window. After you click a link that opens in Internet Explorer, the address of the Web site typically appears in the Internet Explorer Address bar, and the title of the Web page typically appears in the Title bar of the window.

    However, a malicious user could create a link to a deceptive (spoofed) Web site that displays the address, or URL, to a legitimate Web site in the Status bar, Address bar, and Title bar. This article describes steps that you can take to help mitigate this issue and to help you to identify a deceptive (spoofed) Web site or URL.
    MORE INFORMATION
    This article discusses steps you can take to help protect yourself from spoofed Web sites. To summarize, these steps are:
    Verify that there is a lock icon in the lower right Status bar and verify the name of the server that provides the page that you are viewing before you type any personal or sensitive information.
    Do not click any hyperlinks that you do not trust. Type them in the Address bar yourself.
    This article also discusses steps that will help you identify spoofed Web sites and malicious hyperlinks.
    Things that you can do to help protect yourself from spoofed Web sites
    Make sure that the Web site uses Secure Sockets Layer/Transport Layer Security (SSL/TLS) and check the name of the server before you type any sensitive information.

    SSL/TLS is typically used to help protect your information as it travels across the Internet by encrypting it. However, it also serves to prove that you are sending data to the correct server. By checking the name on the digital certificate user for SSL/TLS, you can verify the name of the server that provides the page that you are viewing. To do this, verify that the lock icon appears in the lower right corner of the Internet Explorer window.

    Note If the status bar is not enabled, the lock will not appear. To enable the Status bar, click View, and then click to select Status Bar.

    To verify the name of the server that appears on the digital certificate, double-click the lock icon, and then check the name that appears next to Issued to. If the Web site does not use SSL/TLS, do not send any personal or sensitive information to the site. If the name that appears next to Issued to is different from the name of the site that you thought provides the page that you are viewing, close the browser to leave the site. For additional information about how to do this, visit the following Microsoft Web site:
    http://www.microsoft.com/security/incident/spoof.asp

    Things that you can do to help protect yourself from malicious hyperlinks
    The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself. By manually typing the URL in the address bar, you can verify the information that Internet Explorer uses to access the destination Web site. To do so, type the URL in the Address bar, and then press ENTER.

    Note The Address bar does not appear if it is not enabled. To enable the Address bar, click View, point to Toolbars, and then click to select Address Bar.


    Some things that you can do to identify spoofed sites when the Web site is not using SSL/TLS
    The most effective step that you can take to verify the name of the site that provides the page that you are viewing is to verify the name on a digital certificate using SSL/TLS. But if the site does not use SSL/TLS, you cannot conclusively verify the name of the site that provides the page that you are viewing. However, there are some things that you can do that, in some cases, may help you identify spoofed sites.

    CAUTION: THE FOLLOWING INFORMATION PROVIDES GENERAL GUIDELINES BASED ABOUT WELL-KNOWN ATTACKS. BECAUSE ATTACKS CHANGE CONSTANTLY, MALICIOUS USERS COULD CREATE SPOOFED WEB SITES BY USING MEANS OTHER THAN THOSE THAT ARE DESCRIBED HERE. TO HELP PROTECT YOURSELF, ONLY TYPE PERSONAL OR SENSITIVE INFORMATION ON A WEB SITE IF YOU HAVE VERIFIED THE NAME ON THE DIGITAL CERTIFICATE. ALSO, IF YOU HAVE ANY REASON TO SUSPECT THE AUTHENTICITY OF A SITE, LEAVE IT BY CLOSING THE BROWSER WINDOW IMMEDIATELY. FREQUENTLY, THE QUICKEST WAY TO CLOSE THE BROWSER WINDOW IS TO PRESS ALT+F4.
    Try to identify the URL of the current Web page
    To try to identify the URL of the current Web site, use the following methods.


    Use Jscript commands to try to identify the actual URL for the current Web site

    Use a JScript command in Internet Explorer. In the Address bar, type the following command, and then press ENTER:
    javascript:alert("Actual URL address: " + location.protocol + "//" + location.hostname + "/");

    CAUTION: USE CAUTION WHEN YOU TYPE SCRIPT DIRECTLY IN THE ADDRESS BAR. SCRIPT THAT YOU TYPE DIRECTLY IN THE ADDRESS BAR CAN TAKE THE SAME ACTIONS ON THE LOCAL SYSTEM AS THE USER WHO IS CURRENTLY LOGGED ON.

    The JScript message box shows the actual URL Web address for the Web site that you are visiting.

    You can also copy the following JScript code and paste it in the Address bar for a more verbose description of the Web site URL:
    javascript:alert("The actual URL is:\t\t" + location.protocol + "//" + location.hostname + "/" + "\nThe address URL is:\t\t" + location.href + "\n" + "\nIf the server names do not match, this may be a spoof.");

    Compare the actual URL with the URL in the Address bar. If they do not match, the Web site is likely misrepresenting itself. In this case, you may want to close Internet Explorer.


    Use the Internet Explorer History pane to try to identify the actual URL for the current Web site

    In the scenarios that Microsoft has tested, you can also use the History Explorer Bar in Internet Explorer to help identify the URL of a Web page. On the View menu, point to Explorer Bar, and then click History. Compare the URL in the Address bar with the URL that appears in the History bar. If they do not match, the Web site is likely misrepresenting itself and you may want to close Internet Explorer.

    Paste the URL in the Address bar of a new instance of Internet Explorer

    You can paste the URL in the Address bar of a new instance of Internet Explorer. By doing so, you may be able to verify the information that Internet Explorer will use to access the destination Web site. In the scenarios that Microsoft has tested, you can copy the URL that appears in the Address bar and paste it in the address bar of a new session of Internet Explorer to verify the information Internet Explorer will actually use to access the destination Web site. This process is similar to the step that is discussed in “Things that you can do to help protect yourself from spoofed Web sites” section earlier in this article.

    CAUTION: IF YOU PERFORM THIS ACTION ON SOME SITES, SUCH AS E-COMMERCE SITES, THE ACTION CAN POTENTIALLY CAUSE YOUR CURRENT SESSION TO BE LOST. FOR EXAMPLE, THE CONTENTS OF AN ONLINE SHOPPING CART MAY BE LOST, AND YOU MAY HAVE TO REPOPULATE THE CART.

    To paste the URL in the Address bar of a new instance of Internet Explorer, follow these steps:
    Select the text in the Address bar, right-click the text, and then click Copy.
    Close Internet Explorer.
    Start Internet Explorer.
    Click in the Address bar, right-click, and then click Paste.
    Press ENTER.


    Some things that you can do to identify malicious hyperlinks

    The only way that you can verify the information that Internet Explorer will use to access the destination Web site is by manually typing the URL in the address bar. However, there are some things that you can do that, in some cases, may help you identify a malicious hyperlink.

    CAUTION: THE FOLLOWING INFORMATION PROVIDES GENERAL GUIDELINES BASED ABOUT WELL-KNOWN ATTACKS. BECAUSE ATTACKS CHANGE CONSTANTLY, MALICIOUS USERS COULD CREATE SPOOFED WEB SITES BY USING MEANS OTHER THAN THOSE THAT ARE DESCRIBED HERE. TO HELP PROTECT YOURSELF, ONLY TYPE PERSONAL OR SENSITIVE INFORMATION ON A WEB SITE IF YOU HAVE VERIFIED THE NAME ON THE DIGITAL CERTIFICATE. ALSO, IF YOU HAVE ANY REASON TO SUSPECT THE AUTHENTICITY OF A SITE, LEAVE IT BY CLOSING THE BROWSER WINDOW IMMEDIATELY. FREQUENTLY, THE QUICKEST WAY TO CLOSE THE BROWSER WINDOW IS TO PRESS ALT+F4.



    Try to identify the URL that a hyperlink will use

    To try to identify the URL that a hyperlink will use, follow these steps:
    Right-click the link, and then click Copy Shortcut.
    Click Start, and then click Run.
    Type notepad, and then click OK.
    On the Edit menu in Notepad, click Paste.
    By doing this, you can see the full URL for any hyperlink and you can examine the address that Internet Explorer will use. The following list shows some of the characters that may appear in a URL that could lead to a spoofed Web site:
    %00
    %01
    @
    For example, a URL of the following form will open http://example.com, but the URL in the Address bar or the Status bar in Internet Explorer may appear as http://www.wingtiptoys.com:
    http://www.wingtiptoys.com@example.com




    Other steps that you can take

    Although these actions do not help you to identify a deceptive (spoofed) Web site or URL, they can help limit the damage from a successful attack from a spoofed Web site or a malicious hyperlink. However, they restrict e-mail messages and Web sites in the Internet zone from running scripts, ActiveX Controls, and other potentially damaging content.
    Use your Web content zones to help prevent Web sites that are in the Internet zone from running scripts, running ActiveX Controls, or running other damaging content on your computer. First, set your Internet zone security level to High in Internet Explorer. To do so, follow these steps:
    On the Tools menu, click Internet Options.
    Click the Security tab, click Internet, and then click Default level.
    Move the slider to High, and then click OK.
    Next, add the URLs for Web sites that you trust to the Trusted Sites zone. To do so, follow these steps:
    On the Tools menu, click Internet Options.
    Click the Security tab.
    Click Trusted sites.
    Click Sites.
    If the sites that you want to add do not require server verification, click to clear the Require server verification (https:) for all sites in this zone check box.
    Type the address of the Web site you want to add to the Trusted sites list.
    Click Add.
    Repeat steps 6 and 7 for each Web site that you want to add.
    Click OK two times.
    Read E-mail Messages in Plain Text.

    For Outlook 2002 and Outlook 2003:


    307594 OL2002: Users Can Read Nonsecure E-mail as Plain Text

    831607 How to View All E-Mail Messages in Plain Text Format in Outlook 2003



    For Outlook Express 6:
    291387 OLEXP: Using Virus Protection Features in Outlook Express 6

    By reading e-mail in plain text, you can see the full URL of any hyperlink and examine the address that Internet Explorer will use. The following are some of the characters that may appear in a URL that could lead to a spoofed Web site:
    %00
    %01
    @
    For example, a URL of the following form will open http://example.com, but the URL that appears in the Address bar of Internet Explorer may show http://www.wingtiptoys.com:
    http://www.wingtiptoys.com@example.com

    REFERENCES
    For more information about Uniform Resource Locators (URLs), visit the following Word Wide Web Consortium Web site:
    http://www.w3.org/addressing/url/url-spec.txt

    Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
     
  3. Perris Calderon

    Perris Calderon Moderator Staff Member Political User

    Messages:
    12,332
    Location:
    new york
    as usual, the exploit is not affective in mozilla
     
  4. SPeedY_B

    SPeedY_B I may actually be insane.

    Messages:
    15,800
    Location:
    Midlands, England
    Or safari (KHTML) :)
     
  5. Enyo

    Enyo Moderator

    Messages:
    1,338
    This is a minor exploit and does not represent a security threat to the majority of people.

    If you fall for things like paypal scams then this will affect you.

    This has been reported on the frontpage along with the OpenSource patch that did not work and that has been subsequently fixed but is still unrecommended.

    As i said on the frontpage it is expected this will be patched in keeping with the patch policy of MS, so next month.

    It does affect some other browsers.

    Again, this is a minor exploit, just use common sence and your fine.
     
  6. SPeedY_B

    SPeedY_B I may actually be insane.

    Messages:
    15,800
    Location:
    Midlands, England
    Of course it's minor, 90%+ of people will never be affected by one of these exploits, it's just funny the volume of exploits that are unearthed :)
     
  7. Enyo

    Enyo Moderator

    Messages:
    1,338
    Its also not unsurprising the amount of vulnerabilities unearthed.

    This as with many of IE "holes" is just a scripting loophole.

    With all the scripting and controls IE supports i don't see why people make such a fuss when i bug is found in the way IE handles these scripts.
     
  8. Perris Calderon

    Perris Calderon Moderator Staff Member Political User

    Messages:
    12,332
    Location:
    new york
    it is indeed a miner exploit/ agrees