DANGEROUS new internet security hole

[Sugien]

DANGEROUS new internet security hole

Well ok maybe not all that new; but in this configeration it may just
well be new:

The bad guys have now found a new way to make you think you are at a
different web page then what you really are. It use to be if you clicked on
a link even the old type of fake URL you could still tell where it sent you
by looking at the address bar of your web browser (IE). Now however there
is a new way in which you can click on a link that says it is a Microsoft
link and when you get to the page instead of the web browsers address bar
saying where you actually are instead using this new bug/hole the address
bar can say anything they like.
To see a harmless example go here:
http://dino-soft.org/security/vun1.html

To see several different ones go here after going to the above. The pages
the below link take you to only have text telling you about it; but the
above has a Microsoft banner to make it look more real

http://dino-soft.org/security/newurlhole.html

With this as with other security holes it goes to show that unless you
actually type in the address you are not sure you are going to where the
link points. Even when you do type in the URL address into the address bar,
if the page is a malicious page it could make it's self look like anything
it wants. Like maybe sending you an official looking email from your credit
card company or bank or what ever and then when you go there it looks for
all the world like it is legitimate; but it isn't and if you give up your
account number and or pin number you are most likely going to loose your
money.
About the best thing is to do one of two things, #1 don't use the
internet to buy stuff or do your banking or finances, or just to practice
safe hex which states to Never, Never Never give out your Social Security
number or pin or passwords to a site, and just remember that your credit
card company or bank ALREADY knows your account number and or pin number and
has no need to send you an email or a link in an email to a web page that
asks for your social security number/account number/credit card number/pin
because as I said earlier they ALREADY have it.

 

[James Egan]

Now however there
is a new way in which you can click on a link that says it is a Microsoft
link and when you get to the page instead of the web browsers address bar
saying where you actually are instead using this new bug/hole the address
bar can say anything they like.

That's clever. However, had the link in your example been an ordinary
one it would have shown the full text in the status bar prior to
clicking.


Jim.

 

[Jeroen [_]D]

: On Sat, 13 Dec 2003 04:10:43 GMT, "Sugien"
:
: >Now however there
: >is a new way in which you can click on a link that says it is a Microsoft
: >link and when you get to the page instead of the web browsers address bar
: >saying where you actually are instead using this new bug/hole the address
: >bar can say anything they like.
:
: That's clever. However, had the link in your example been an ordinary
: one it would have shown the full text in the status bar prior to
: clicking.
:
The full link did show up on my statusbar while downloading the page. I used
IE 6.0.2800.1106 with several updates and SP1.

It did only show up very briefly (DSL-connection).

Nevertheless, it is a nice trick. One can do very evil things with this.

 

[Adam Pepper]

DANGEROUS new internet security hole

And so easy any moron could do it. this one is worroying.

Does it work with other browsers?
--
acmp<><
(e-mail address removed) <not real duh!
acmp at ntl world dot com

http://www.HacksMeOff.pagehere.com

 

[D McAuliffe]

DANGEROUS new internet security hole

Well ok maybe not all that new; but in this configeration it may just
well be new:

The bad guys have now found a new way to make you think you are at a
different web page then what you really are. It use to be if you clicked on
a link even the old type of fake URL you could still tell where it sent you
by looking at the address bar of your web browser (IE). Now however there
is a new way in which you can click on a link that says it is a Microsoft
link and when you get to the page instead of the web browsers address bar
saying where you actually are instead using this new bug/hole the address
bar can say anything they like.
To see a harmless example go here:
http://dino-soft.org/security/vun1.html

To see several different ones go here after going to the above. The pages
the below link take you to only have text telling you about it; but the
above has a Microsoft banner to make it look more real

http://dino-soft.org/security/newurlhole.html

With this as with other security holes it goes to show that unless you
actually type in the address you are not sure you are going to where the
link points. Even when you do type in the URL address into the address bar,
if the page is a malicious page it could make it's self look like anything
it wants. Like maybe sending you an official looking email from your credit
card company or bank or what ever and then when you go there it looks for
all the world like it is legitimate; but it isn't and if you give up your
account number and or pin number you are most likely going to loose your
money.
About the best thing is to do one of two things, #1 don't use the
internet to buy stuff or do your banking or finances, or just to practice
safe hex which states to Never, Never Never give out your Social Security
number or pin or passwords to a site, and just remember that your credit
card company or bank ALREADY knows your account number and or pin number and
has no need to send you an email or a link in an email to a web page that
asks for your social security number/account number/credit card number/pin
because as I said earlier they ALREADY have it.

This is certainly disturbing. Due to my settings in IE6/patched, the link
in the first example did not work, nor did one through three in the second.
However the forth and fifth did with no indication in the status bar that I
was not going to the intended target, regardless, the average user would not
be monitoring the status bar. The Microsoft URL above the Smith Barney page
is unsettling to say the least, not to mention getting to Smith Barney in
the first place. Having to right click the link and copy the shortcut to a
word processor in order to confirm the actual link
(https://www.microsoft.com %[email protected]/) is not a practical
work-a-round. Put this into the hands of a hacked system were the Favorites
and Desktop shortcuts can be changed, the user wouldn't have a clue and the
personal sense of security would be automatic thereby having rule #2 above
fall by the wayside. A true copy of the site would be on the bogus server,
and when you'd input your user ID and password to gain entrance, an error
message could appear - site temporally down, try later. Meanwhile the
perpetrator is accessing your account. Not a good thing.
Those that have non-IE browsers; were you redirected and/or did the actual
URL appear when you hover over the link?
Sugien, have you notified security conscious MS of this?
--
~~~~~~~~~~~~~~~~~
Dave McAuliffe
Central Mass. USA
To Reply -
Replace: mailinator.com
With: email.com
~~~~~~~~~~~~~~~~~

 

[optikl]

The full link did show up on my statusbar while downloading the page. I used
IE 6.0.2800.1106 with several updates and SP1.

I have the same configuration as yours; all IE patches have been applied.
The full link did not show up on mine. I have a cable connection.

 

[James Egan]

The full link did not show up on mine. I have a cable connection.

Are you referring to the status bar or address bar?

You should have seen it briefly in the status bar though not in the
address bar. An ordinary link would show it on mouseover before
clicking.


Jim.

 

[optikl]

Are you referring to the status bar or address bar?

You should have seen it briefly in the status bar though not in the
address bar. An ordinary link would show it on mouseover before
clicking.


Jim.

More coffee needed. Yes, I was looking at the address bar, not the status
bar. You're right. I can see it in the address bar.

 

[T.R.]

To see a harmless example go here:
http://dino-soft.org/security/vun1.html

Thanks for posting this Sugien. I was totally unaware of this. I
find this most disturbing and wonder how long it will take MS to post
a critical update to fix this security hole? MS IS aware of this
aren't they????

Regards,
ô¿ô
~


Communists: Liberals who know what they're doing!

 

[me]

This is certainly disturbing. Due to my settings in IE6/patched, the link
in the first example did not work, nor did one through three in the second.
However the forth and fifth did with no indication in the status bar that I
was not going to the intended target, regardless, the average user would not
be monitoring the status bar. The Microsoft URL above the Smith Barney page
is unsettling to say the least, not to mention getting to Smith Barney in
the first place. Having to right click the link and copy the shortcut to a
word processor in order to confirm the actual link
(https://www.microsoft.com %[email protected]/) is not a practical
work-a-round. Put this into the hands of a hacked system were the Favorites
and Desktop shortcuts can be changed, the user wouldn't have a clue and the
personal sense of security would be automatic thereby having rule #2 above
fall by the wayside. A true copy of the site would be on the bogus server,
and when you'd input your user ID and password to gain entrance, an error
message could appear - site temporally down, try later. Meanwhile the
perpetrator is accessing your account. Not a good thing.
Those that have non-IE browsers; were you redirected and/or did the actual
URL appear when you hover over the link?
Sugien, have you notified security conscious MS of this?
--
~~~~~~~~~~~~~~~~~
Dave McAuliffe
Central Mass. USA
To Reply -
Replace: mailinator.com
With: email.com
~~~~~~~~~~~~~~~~~

Old-ish Netscape shows the whole link for #4 and #5.

J

 

[D McAuliffe]

More coffee needed. Yes, I was looking at the address bar, not the status
bar. You're right. I can see it in the address bar.

In Example 5, all I get in the status bar is that it is 1) downloading from
site dino-soft (the known site I'm currently on) 2) opening page at
microsoft with three dots (...), 3) downloading pictures from microsoft...,
then on Smith Barney site with microsoft in the address bar then done. No
indication that I am actually connecting or connected to Smith Barney the
destination bogus site.
--
~~~~~~~~~~~~~~~~~
Dave McAuliffe
Central Mass. USA
To Reply -
Replace: mailinator.com
With: email.com
~~~~~~~~~~~~~~~~~

 

[Roy]

DANGEROUS new internet security hole

Firebird isn't fooled!

Cheers,

Roy

 

[Ken Wright]

Mozilla 1.4 (Gecko/20030624), the full spoofed URL showed in the
location bar for all test examples listed in the oringinal
message of this thread.

Remove NO and SPAM from address to reply

 

[Christa Bartsch]

Am 13.12.2003 05:10 schrieb Sugien:

DANGEROUS new internet security hole

As for "Mozilla" - no security hole. Mozilla displays the URL in full
length, no fooling possible.

It seems to be a "Microsoft Internet Explorer" hole.

Christa Bartsch

 

[John Coutts]

And so easy any moron could do it. this one is worroying.

Does it work with other browsers?
--

****************** REPLY SEPARATER *******************
Doesn't work at all in IE6 if you change Active Scripting to <Prompt> or
<Disable> to prevent porn loops. Mozilla Firebird displays:

http://www.microsoft.com
@zapthedingbat.com/security/ex01/vun2.htm

This is not a particularly new technique, as it has been used for years by porn
sites to hide their actual location. Right clicking on the page and examining
the properties will tell you it's real location. You cannot believe anything in
the address bar.

As an aside, more than a year ago I discovered a viral infection (IE addin-in)
on a home computer that redireted all outbound web requests through a remote
site using this technique. A malicious site on <geocities.com> had conned the
user into installing a Web Enhancer. It was not discovered until there was a
problem with the routing path to the redirect site. For a relatively short
period of time, the customer could not browse, but once discovered, the Web
cache provided the trail on how it was accomplished.

J.A. Coutts

 

[Beauregard T. Shagnasty]

Quoth the raven named Sugien:

DANGEROUS new internet security hole

To see a harmless example go here:
http://dino-soft.org/security/vun1.html

Opera 7.2 raises a dialog:

"Security warning:
You are about to go to an address containing a username.
Username: www.microsoft.com[unprintable character here]
Server: zapthedingbat.com
Are you sure you want to go to this address?
OK Cancel"

http://dino-soft.org/security/newurlhole.html

...and does the same for all links/button on this page. Except for the
button, all URLs display fully in the status bar.

Obviously, yet another reason to dump IE.

 

[Boris Mohar]

****************** REPLY SEPARATER *******************
Doesn't work at all in IE6 if you change Active Scripting to <Prompt> or
<Disable> to prevent porn loops.

Where can I find Active Scripting control in IE6? It is not even in their
help index.

 

[Art S]

Where can I find Active Scripting control in IE6? It is not even in their
help index.

Tools / Internet Options / Security / <select a security level > / custom level

Art S

 

[Conor]

DANGEROUS new internet security hole

Well ok maybe not all that new; but in this configeration it may just
well be new:

It'sd not new. THey've been doing similar in links from scam e-mails
for ages.

 

[Jafar]

http://dino-soft.org/security/vun1.html

Thanks for the fun I decided to test this with the browsers I have
installed so here are the results....

1) Mozilla Firebird 0.7 and Mozilla 1.5.

http://www.microsoft.com
@zapthedingbat.com/security/ex01/vun2.htm


2) Opera 7.11 gave me this but also warned that I was about to enter a site
with a username attached

http://www.microsoft.com @zapthedingbat.com/security/ex01/vun2.htm


3) Konqueror 3.1.0

http://[email protected]/security/ex01/vun2.htm


4) Galeon 1.3.3 (This one is based on Netscape)

http://www.microsoft.com
@zapthedingbat.com/security/ex01/vun2.htm


On the second URL
http://dino-soft.org/security/newurlhole.html
All the browsers sent me to www.smithbarney.com when trying out the secure
links


Conclusion: It must only work on IE but as I don't have IE I can't see for
myself

Jafar