Microsoft is rejecting claims from security researchers that a spoofing technique discovered on Internet Explorer is a security vulnerability.
Microsoft debates spoofing as security flaw
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
we could debate on whether or not a car can be used to get you from point A to point B too.
Idiots. If it’s something that could be used to fool ppl into inputting their credit card numbers or SSN on someone’s website or fooling a person into thinking their downloading the latest update from Microsoft, when they’re downloading some trojan so a malicious person can scam their passwords and other sensitive information, then yeah, it’s a major security flaw.
http://www.mozilla.org/products/firefox/
http://www.spreadfirefox.com/
i remember the other spoofing vuln from 2003, when you could use javascript unescape function. it was certainly a security vuln that time, because it was so easy to spoof a website. this flaw, on the surface, appears similar in scope.
MS should whine a little less, and just fix the darn code.
This isn’t really a new or IE only issue is it? Maybe the way that the status-bar text is set may be new but this been possible with a little javascript for a very very long time. Or am I missing something?
Though IE doesn’t do anything to help with this problem, I know someone who got nailed with this using Firefox. Sometimes if it looks like a Citibank website (or whatever), they don’t even check the URL. There’s no compensating for stupidity. Anyway, XP SP2 is not affected by this issue, according to the article.
Yes, and that was considered a security flaw in Firefox. They fixed their problem at lot faster than MS fixed IE.
I have to admit, I get a little angry everytime I read someone refer to IE XP SP2. The majority of windows users are still on something other than XP, thus they can’t get IE with the latest fixes.
I have to admit, I get a little angry everytime I read someone refer to IE XP SP2. The majority of windows users are still on something other than XP, thus they can’t get IE with the latest fixes.
To be fair you can’t expect a company to patch every obsolete old version of software out there. I agree that MS should offer IE as a seperate download to this day but computing systems and software are moving targets.
People like to bitch that MS dosen’t fix these problems and then when they do get fixed, people bitch that they need to update to a new service pack to get the fix. Thats life. If all they did was patch the browser people would still be bitching over needing the patch.
If I want some obscure flaw in Netscape 4.7 fixed I’m pretty sure most folks would tell me to upgrade to mozilla. Its the way things go I guess.
To be fair you can’t expect a company to patch every obsolete old version of software out there. I agree that MS should offer IE as a seperate download to this day but computing systems and software are moving targets.
I agree. But they still have Windows 2000 and *cough*ME*cough which they have years of support left. Then there’s the millions of users still on Win98. All three of which you can install the latest version of IE on (minus XP SP2’s version).
security, for example, is a feature
I don’t think that’s stupidity, it’s just human nature…..we can’t all be paranoid about everything all the time ! (and spywatre requires us to be paranoid!)
“People like to bitch that MS dosen’t fix these problems and then when they do get fixed, people bitch that they need to update to a new service pack to get the fix. Thats life. If all they did was patch the browser people would still be bitching over needing the patch.”
Problem is IE is the same version on all platforms, they should therefore release it as standalone. Anyways I don’t care, MS can’t make me upgrade so I switch to linux and pay lower prices.
This isn’t really a new or IE only issue is it?
um, it’s IE only. read the Bugtraq post. prior vulns in FF are irrelevant, since MS’s statement is about this new vuln and Internet Explorer.
begin quote from Bugtraq:
URL spoofing bug (with iframes) in Microsoft Internet Explorer (11/02/2004)
Forum: SecurePoint – BUGTRAQ Archive
Date: Nov 02, 19:07
From: Benjamin Tobias Franz <nobody at nowhere.com>
URL spoofing bug (with iframes) in Microsoft Internet Explorer:
(11/02/2004)
There is a security bug in Microsoft Internet Explorer, which allows to
show any faked target-address in the status bar of the window.
The example below will display a faked URL (“http://www.microsoft.com/“) in
the status bar of the window, if you move your mouse over the link. Click
on the link and IE will go to “http://www.google.com/“ and NOT to
“http://www.microsoft.com/“ .
HTML code for page #1 called “btf.htm”:
<a href=”http://www.microsoft.com/“>
<iframe src=”./btf-spoofing.htm” frameborder=”0″ scrolling=”no” width=”70″
height=”25″ marginheight=”0″ marginwidth=”0″></iframe>
HTML code for page #2 called “btf-spoofing.htm”:
http://www.google.com/“ Click here
Save both codes as HTML files in the same directory and open “btf.htm” with
Microsoft Internet Explorer.
Description:
Microsoft Internet Explorer can not handle embedded frames with links
surrounded by an other link correct.
Successful exploitation allows a malicious web site to obfuscate URLs in
the status bar, even when javascript support has been disabled.
Affected software:
Microsoft Internet Explorer
Workaround:
Never follow links from untrusted sources. Or right-click on links ans
select “Properties” to see the real target. Or use Copy-and-Paste.
Tested in Microsoft Internet Explorer 6 SP1 (6.0.2800.1106) with all
patches installed on Windows 98. I see “http://www.microsoft.com/“ in
status bar.
ONLY if I press tabulator-key 3x (to jump to next link) or click on the
link, then I can see correct info (“http://www.google.com/“) in status bar.
My DLL versions:
MSHTML.DLL: 6.00.2800.1477
BROWSEUI.DLL: 6.00.2800.1596 (xpsp2.040919-1003)
SHDOCVW.DLL: 6.00.2800.1596 (xpsp2.040919-1003)
SHLWAPI.DLL: 6.00.2800.1584 (xpsp2.040720-1705)
URLMON.DLL: 6.00.2800.1475
WININET.DLL: 6.00.2800.1475
Regards,
Benjamin Tobias Franz
Germany
To be fair you can’t expect a company to patch every obsolete old version of software out there. I agree that MS should offer IE as a seperate download to this day but computing systems and software are moving targets.
it’s the same deal in the open-source world to some extent. if you pick some really old distro for a really old computer, you may have to disable most of the daemons and patch manually. for instance, i use Slackware, and generally 9.1, 10.0, and –current receive patches. if i want a really old version, i might choose Deli linux (based on Slack 7.1) and hope that they apply security patches.
Windows 98 is already 6 years old, so it’s nice it’s still receiving patches.
Yes, and that was considered a security flaw in Firefox. They fixed their problem at lot faster than MS fixed IE.
And this is supposed to help people without the patch how? The only reason why worms spread in Windows the way they do is because people don’t bother to patch their boxes. As far as I can remember, pretty much any major worm outbreak in Windows occured after a patch was made available. So, you can’t assume that just because you release a patch (be it an open source app or otherwise) that it is not a problem anymore, unless the user has auto-update turned on.
When a critical firefox update comes out, the first thing you see when you launch the browser is a red page telling you to update.
With Microsuck, you practically have to comb news sites to find these things out.
When a critical firefox update comes out, the first thing you see when you launch the browser is a red page telling you to update.
Really? I’ve always been a few weeks late updating Firefox builds since 0.6 when I first started using it, and never once have I seen a ‘red page’ on startup. Perhaps because I changed the home page? I went tool Tools|Option and have software updates checked. I did a manual check, and it thinks I have the latest version installed, even though I haven’t updated to the release candidate yet.
With Microsuck, you practically have to comb news sites to find these things out.
Or you could turn on automatic updates, which, apparently unlike Firefox, actually notifies you when updates are available.
BTW: Why do people always feel they have to resort to name-calling in order to get their point across? Do you really think it impresses anyone?
“To be fair you can’t expect a company to patch every obsolete old version of software out there. I agree that MS should offer IE as a seperate download to this day but computing systems and software are moving targets. ”
MS promised 10 years of support for platforms. In 2002 they relegated w2k to the scrap heap and said they will only do patches but not new features. Now it 2004 and w2k users dont even get a patch for this flaw. Ok, 10 years of support is a bit long, but how about getting atleast 5 years of support per their original agreemnet.
“People like to bitch that MS dosen’t fix these problems and then when they do get fixed, people bitch that they need to update to a new service pack to get the fix. Thats life.”
Well, if you break a contract that would be called a breach of contract. But since this is a license agreement, I am not sure what the heck this is called. However, they failed to meet even their orginal obligation. Life is about owning up to your own responsibilities. XP comes pre-installed on machines, people that bought 2000 had to acutally buy it, there were never any pre-installed versions and what not. Most of corporate america runs win2000. This is a great way to tick off a good chuck of your base.
Actions like this will turn around and bit them. I can guarantee that MS will never see another dime from me. I have seen enough bogus promises from MS from approx 1980. Yes, I have just dated myself. But its a long history of them breaking their word.
“The software giant did accept the possibility that spoofing could occur on version 6 of IE but rejected claims that this is a security flaw.”
Its called a feature.
“In an e-mail statement, the company said: “Microsoft is aware of a security issue reported last week that could allow spoofing the URL a user sees in Internet Explorer’s status bar. Users could see a URL in the status bar when the mouse hovers over the link on a Web page, but clicking the link would take the user to a different URL. Our investigation has indicated that this is not a security vulnerability.””
Then why is called a security issue? I guess a security issue and a vnlnerability are different to MS.
“The result, Franz asserted, is that malformed links to URLs could take people to an entirely different Web site without their knowledge.
But Microsoft said a large amount of social engineering would need to take place if victims were to fall for such attacks.”
Yes, large amounts of social engineering. Double click and enter your credit card info. Thats huge!!!
“Microsoft’s statement said. “Once on the destination site, the user would need to be enticed by the attacker to take some action, such as disclosing confidential financial information, without the user noticing that the URL in the address bar does not match the URL that the user thought he (or) she was visiting.””
How about pretending to be a bank.
“Microsoft added that it “will evaluate the feasibility of implementing similar changes on earlier versions of Windows in the future.””
With over 20 years of history with MS and this translates into “No”. Well not actually no. I will just delay the issue until you forget about it.
“On Bugtraq, Franz said HTML e-mail messages were vulnerable to the technique, so Microsoft Outlook Express is also affected. Franz wrote that people should right-click on links to check their real destination.”
I guess Franz didnt read MS’ email stating that this a security issue and not a Vunl. Shame for shame.
MS promised 10 years of support for platforms. In 2002 they relegated w2k to the scrap heap and said they will only do patches but not new features. Now it 2004 and w2k users dont even get a patch for this flaw. Ok, 10 years of support is a bit long, but how about getting atleast 5 years of support per their original agreemnet.
There is a difference between supporting a product and adding new features. MS’s customers will tell them if this is worth patching in IE for windows 2000.
I’d like to see it patched too, but I won’t be surprised if it dosen’t get patched on IE6 and alternative browsers look better everyday when things like that happen.
Well, if you break a contract that would be called a breach of contract. But since this is a license agreement, I am not sure what the heck this is called.
At work we have over 200 Windows 2000 workstations and we have a support contract with MS on those OS installs. A breach of contract would be when MS refuses to get us a hotfix for an issue that is critical to the operation of our business.
This issue dosen’t even register on our radar as something to be concerned about. Of course the vast majority of our users are running Mozilla so IE issues really don’t effect much unless they are real show stoppers.
However, they failed to meet even their orginal obligation. Life is about owning up to your own responsibilities. XP comes pre-installed on machines, people that bought 2000 had to acutally buy it, there were never any pre-installed versions and what not.
Every Win2000 workstation we have shipped with 2000 installed. I have no idea what you are talking about here.
Their original obligation (to us at least) was to provide support for the OS. They do that. We had a 3rd party email server that was causing a COM registration conflict with some system components recently. A MS system engineer had the issue sorted out in 2 days flat and we had a fix made available to us. Thats support.
Most of corporate america runs win2000. This is a great way to tick off a good chuck of your base
If it happens that way then they’ll pay the price. Thats how the world spins for sure.
it’s my understanding that win 2k and 98 would be patched for this flaw, or vulnerability, or whatever MS calls it. however, the enhanced features added by XP SP2 will not be found in some older OS. SP2 proactively thwarts some vulnerabilities much like adding gr-security to linux. it prevents future as well as past flaws. (it’s not perfect but it’s a start.)
To be fair you can’t expect a company to patch every obsolete old version of software out there. I agree that MS should offer IE as a seperate download to this day but computing systems and software are moving targets.
People like to bitch that MS dosen’t fix these problems and then when they do get fixed, people bitch that they need to update to a new service pack to get the fix. Thats life. If all they did was patch the browser people would still be bitching over needing the patch.
If I want some obscure flaw in Netscape 4.7 fixed I’m pretty sure most folks would tell me to upgrade to mozilla. Its the way things go I guess.
The big problem with IE is, that you can’t normaly just update IE. You need to update the complete system and risk to break other stuff. With other browsers you don’t have that kind of troubles. And best thing about the other browsers is: You can go back to an older version.
Try to roll back a service pack or serval fixes installed with Windows Update. I know, that you could do it, but often you break more stuff then you fix, when you roll back.
might we all take this time to pull out our trusted Webster dictionaries and review what “security” means.
This issue affects Safari and (reportedly) Camino as well. I have to admit, though, that I find this a very small “security hole.” Sure, it can be misleading, but very few of the people who would be taken in by issues this can create even know that the status bar exists. Most average users don’t know when their browser should be in a secure state, or what various SSL certificate errors mean. To expect them to verify a mouse-over of a link shows the same URL in the status bar is really giving them far too much credit. I’m not bashing the average user, but rather the mind that expects them to be aware of this sort of trivial issue. If they are going to be bilked by eBay phishing scams, nothing is going to save them, and certainly not a mouse-over action.
Wow, that was ugly — try this sentence instead:
Sure, it can be misleading, but very few of the people who would be taken by the issues that a flaw like this can create even know that the status bar exists.
So you believe everything you read?I mean have you checked the mi2g study?Just repeating what one approved by the queen controversial company shows up with, some sort of study which nobody can check or verify unless you pay for it says nothing.
Many users don’t know what a browser is. If they have AOL, they use AOLs browser. If they have cable connections or dsl, all they know is that they click on the “E” to get online. Mozilla based browsers need to show (ADVERTISE) how someone who may connect to the internet in different ways will be able to use another browser besides their primary. Users are not informed about the web in this way.
MS wants to keep it that way by integrating web technologies more and more into it’s OS usage so that the web (and browsing) is ambiguous to the user.
Customers have to be courted through marketing since IT-religious convictions only work for some people. Firefox has started this and I hope they continue.
take this then
http://www.novell.com/linux/truth/better_choice.html
Yes, users do not know what a browser is. Why should they? Do you know the name of all the different parts in your car? Do you fight for your right to replace one part with a part from another company? Do you care how tightly that part is integrated?
Or, if that’s apples and oranges, please explain the difference.
Come on, Microsoft is right this time. The same effect can be accomplished with javascript or whatnot. It is a bug to be fixed but let’s not blow it off scale!
Of course, javascript is mostly an immature hack and I kept it turned off when I was using Windows/IE.
mi2g is running Apache/1.3.29 on Debian Linux and
Apache/2.0.46 on Redhat.
Please stop making a fool off yourself. You
behave more as a troll than a wolf.
>Yes, users do not know what a browser is. Why should they? Do
>you know the name of all the different parts in your car?
No all but the most important, steering wheel, trottle, breaks etc. Say for instance that my breaks would be unsecure i would replace them same goes for my tyers.
Knowing the engine etc. is more like the kernel not the webbrowser.
>Do you fight for your right to replace one part with a part
>from another company? Do you care how tightly that part is
>integrated?
Off course. If you do not your stupid, you then will always
get the parts that are 1. the most expensive 2. wich have the most margin.
Certainly not the best or most secure. You must demand.
>Or, if that’s apples and oranges, please explain the
>difference.
I just did.
>Yes, users do not know what a browser is. Why should they? Do
>you know the name of all the different parts in your car?
No we don’t care to know all the parts to our cars but neither do we care to know every single proxy server and router that our connection is going through. However, we do know when we walk into our garage that the car we’re going to drive today is a Dodge with Dodge factory parts except for our tires. We didn’t want regular Dodge supplied tires so we got some nice Goodyear’s. We wouldn’t call ourselves a car expert in the least but we know that what we have is better than what they were going to give us. That’s all we need to know. We were told that through word of mouth, advertisements, and research…stuff that matters. Educating customers goes long way. MS knows this and it’s competors should embrace it in their own strategies. Firefox has created a great product and people need to be told why they need it over and over again until the believe they need it.
>Or, if that’s apples and oranges, please explain the
>difference.
That’s more like pomegranates and oranges. Try again.
MS wants to keep it that way by integrating web technologies more and more into it’s OS usage so that the web (and browsing) is ambiguous to the user.
The word you’re after is “transparent”.
You know it really doesn’t matter if the issue fits Microsofts’ definition of a “security flaw.” It’s not good and should be fixed. End of story.
hello