PDA

View Full Version : News: Open source firm releases patch for IE spoofing flaw



stu140103
19-12-2003, 10:48 AM
Open source firm releases patch for IE spoofing flaw

An open source and freeware software development web site has released a patch to fix the URL spoofing vulnerability (http://www.theage.com.au/articles/2003/12/12/1071125632006.html) in Internet Explorer, which can be exploited by scammers who try to trick people into revealing details of online banking accounts or other private information.

Openwares.org (http://www.openwares.org/), a Vaunatian company, with branches in Israel, the US and France, released the patch (http://security.openwares.org/) and the source code for the same a couple of days back.

The company has also set up two pages where users can test to see if they are vulnerable to the exploit, one a fake Microsoft Update example and the other an example of a fake PayPal site.

In its advisory, issued along with the patch, Openwares.org said: "Successful exploitation (of this flaw) allows a malicious person to display an arbitrary FQDN (Fully Qualified Domain Name) in the address and status bars, which is different from the actual location of the page."

It gave the vulnerability a rating of 5 on a five-point scale.

While Microsoft has released (http://www.theage.com.au/articles/2003/12/16/1071336936381.html) an article providing details about the vulnerability, the company is yet to provide a patch.

The flaw was disclosed on December 9 by
graphic designer Sam Greenhalgh.
(http://www.zapthedingbat.com/)

bmason
19-12-2003, 11:41 AM
From the age article, no firebird is not vulnerable it correctly displays "http://windowsupdate.microsoft.com%01@security.openwares. org/Update.htm" on the test pages.

I imagine it will not take long to spammers, etc to star exploiting this bug. It is trivial to use and MS won't be releasing a patch until ~15 Jan at the earliest so it is part of their monthly patch set.

Graham L
19-12-2003, 11:45 AM
And after all, MS had declared December a patch-free month. :D

Susan B
19-12-2003, 12:21 PM
Interesting. Firebird displayed the entire URL for me so it is strange that they are claiming that it can be spoofed in Firebird.

> And after all, MS had declared December a patch-free month.

They said they are giving us a holiday from patches. :D

ilikelinux
19-12-2003, 02:00 PM
> And after all, MS had declared December a patch-free month.

What??? How do they expect to keep their os's running?

agent
19-12-2003, 02:07 PM
Windows 95 runs fine, and it hasn't had patches released for some time now... ;)

ugh1
19-12-2003, 02:44 PM
Yet another reason to ditch IE and move to a more safer and faster browser..

Gee when will people get the message!

<grin>

Graham L
19-12-2003, 02:48 PM
The classic patch for W95 was the one which fixed the "48.2 day" bug. If it ran that long without crashing, it was guaranteed to crash then.

bmason
20-12-2003, 03:23 PM
Any IE users thinking about installing the patch might want to read this (http://www.theregister.co.uk/content/55/34618.html). Sounds like it was poorly implemented, and may have included spyware.

BTW, according to the link the problem is with both %01 and %00 (NULL). If it does work with NULL then the lack of security testing done on IE is shocking. Checking it handles the NULL character correctly would be one of the first things to check for a program written in C/C++ (C uses NULL to mark the end of strings).

stu140103
20-12-2003, 08:39 PM
> Any IE users thinking about installing the patch
> might want to read
> this (http://www.theregister.co.uk/content/55/34618.htm
> ). Sounds like it was poorly implemented,
> and may have included spyware.

bugger!!!!( I have all ready install the patch :(:_|) System Restore time......

:|

Chilling_Silently
20-12-2003, 09:47 PM
> Yet another reason to ditch IE and move to a more
> safer and faster browser..

Nicely put. Straight to the point and I totally agree ;-)

> Gee when will people get the message!

Some people are slow learners ;-)

That and some web-designers cant code to standards :p

stu140103
20-12-2003, 09:51 PM
Would a System Restore back to before I applied the fix will that remove any traces of that patch?????

Chilling_Silently
20-12-2003, 09:54 PM
Provided you made the restore point before you installed the patch.

Dont forget to backup your Documents etc that may have changed since the restore point!