Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    No MS Security Issues In December? Think Again!

    By
    Larry Seltzer
    -
    December 11, 2003
    Share
    Facebook
    Twitter
    Linkedin

      Microsoft is claiming that there will be no security updates in December, but its beginning to look like there should be. Two significant problems have crept up in the past week and theyre serious enough that Microsoft should rethink its monthly schedule plans.

      The first problem involves a new way for attackers to breach network defenses in order to exploit known will be exploited in the real world very quickly, and Microsoft should endeavor to fix it as soon as possible. This vulnerability has been patched for a while. At the same time, when Microsoft issued the patch it also listed measures users could take in lieu of the patch to protect themselves, and it appears that these measures are inadequate. An alternate vector is available, and might also allow for very fast attacks of large numbers of systems, a la the Slammer worm from earlier this year.

      In addition, theres is a particular problem in Internet Explorer which allows a malicious coder to make it appear as if the user is viewing a different Web site than they actually are viewing. The bug involved the use of a feature of Uniform Resource Identifiers (browser addresses) that is more often abused than used legitimately used: the @ character.

      When an @ is part of the domain in a Web address, the browser treats the string to the left of it as a user name to fill in any userid prompts, and everything on the right side as the domain name. This is perfectly legitimate syntax. Click here for the actual standard document about URIs.

      Next page: Obscuring the actual address.

      Obscuring the Address

      Malicious coders, such as phishers, often will use this technique to obscure the actual address of the site they send you to. For example, they might send you a message that appears to be from Paypal and include a link that looks something like this:

      http://[email protected]/accounts/validate.htm (The IP address I used is illegal for the same reason they use 555 phone numbers on TV shows.)

      Notice, the numeric string to the right of the @ mark. This link will not take you to www.paypal.com, but to 64.225.264.128. But most unsophisticated users wont notice the difference. Still, all of this monkey business is perfectly legal (if immoral) under the URI standard.

      The latest bug adds a twist: If you put ASCII 00 and 01 characters (designated as %00%01 in the spec.) just prior to the @ character, then Internet Explorer wont display the rest of the URL when the user views the page. In Javascript you must use just the %01 character and also decode the string with the unescape() function..

      So what does it actually look like? Try pressing the button below. In the Status bar, the link appears to take you to the White House site, but it actually takes you to the latest column of one of our eWEEK columnists.

      Go To White House Web Site…

      The actual link was: http://www.whitehouse.gov%01%[email protected]/article2/0,4149,1407901,00.asp

      The applications for phishing attacks are pretty self-explanatory. The viewer will think theyre on www.paypal.com, or whatever, but they will actually be who-knows-where.

      Next page: Mozilla not immune.

      Mozilla Vulnerable

      There are many variations of this particular scheme, and surprisingly some of them partially work on Mozilla as well.

      The anchor link version of this vulnerability also results in the partial, incorrect address being displayed in the status line as the user hovers the mouse over the link. Versions of Mozilla I tested (Versions 1.0 and 1.5) also showed the partial address in the status line, although they displayed the full address in the address bar. Just for fun, I tried Netscape 4.7 as well. Despite being one of worst programs ever written, it handled this situation properly, displaying the full URL in the address and status lines.

      There is also the issue of HTML e-mail. If an HTML message is sent with one of these links, could the user be misled to the wrong site?

      When you click on the link in a message in Outlook 2002 it opens a browser window with the correct address, and it even strips out what was to the left of the @. Ironically, Outlook Express 6 takes you to the site on the left side of the @. So in the above example, surprise, it actually takes you to www.whitehouse.gov.

      Still, if youre reasonably skeptical of what you get in the mail and take reasonable precautions, youre probably safe from both of these problems. Unfortunately, not everyone is so careful.

      So expect to read on these pages soon about the poor folks who credulously clicked away and got taken. Its like watching an accident happen and youre powerless to stop it. Just be careful about where you go in that browser.

      Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

      More from Larry Seltzer

      Larry Seltzer
      Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×