Microsoft is claiming that there will be no security updates in December, but its beginning to look like there should be. Two significant problems have crept up in the past week and theyre serious enough that Microsoft should rethink its monthly schedule plans.
The first problem involves a new way for attackers to breach network defenses in order to exploit known will be exploited in the real world very quickly, and Microsoft should endeavor to fix it as soon as possible. This vulnerability has been patched for a while. At the same time, when Microsoft issued the patch it also listed measures users could take in lieu of the patch to protect themselves, and it appears that these measures are inadequate. An alternate vector is available, and might also allow for very fast attacks of large numbers of systems, a la the Slammer worm from earlier this year.
In addition, theres is a particular problem in Internet Explorer which allows a malicious coder to make it appear as if the user is viewing a different Web site than they actually are viewing. The bug involved the use of a feature of Uniform Resource Identifiers (browser addresses) that is more often abused than used legitimately used: the @ character.
When an @ is part of the domain in a Web address, the browser treats the string to the left of it as a user name to fill in any userid prompts, and everything on the right side as the domain name. This is perfectly legitimate syntax. Click here for the actual standard document about URIs.
Next page: Obscuring the actual address.
Obscuring the Address
Malicious coders, such as phishers, often will use this technique to obscure the actual address of the site they send you to. For example, they might send you a message that appears to be from Paypal and include a link that looks something like this:
Notice, the numeric string to the right of the @ mark. This link will not take you to www.paypal.com, but to 64.225.264.128. But most unsophisticated users wont notice the difference. Still, all of this monkey business is perfectly legal (if immoral) under the URI standard.
The latest bug adds a twist: If you put ASCII 00 and 01 characters (designated as %00%01 in the spec.) just prior to the @ character, then Internet Explorer wont display the rest of the URL when the user views the page. In Javascript you must use just the %01 character and also decode the string with the unescape() function..
So what does it actually look like? Try pressing the button below. In the Status bar, the link appears to take you to the White House site, but it actually takes you to the latest column of one of our eWEEK columnists.
The actual link was: http://www.whitehouse.gov%01%[email protected]/article2/0,4149,1407901,00.asp
The applications for phishing attacks are pretty self-explanatory. The viewer will think theyre on www.paypal.com, or whatever, but they will actually be who-knows-where.
Next page: Mozilla not immune.
Mozilla Vulnerable
There are many variations of this particular scheme, and surprisingly some of them partially work on Mozilla as well.
The anchor link version of this vulnerability also results in the partial, incorrect address being displayed in the status line as the user hovers the mouse over the link. Versions of Mozilla I tested (Versions 1.0 and 1.5) also showed the partial address in the status line, although they displayed the full address in the address bar. Just for fun, I tried Netscape 4.7 as well. Despite being one of worst programs ever written, it handled this situation properly, displaying the full URL in the address and status lines.
There is also the issue of HTML e-mail. If an HTML message is sent with one of these links, could the user be misled to the wrong site?
When you click on the link in a message in Outlook 2002 it opens a browser window with the correct address, and it even strips out what was to the left of the @. Ironically, Outlook Express 6 takes you to the site on the left side of the @. So in the above example, surprise, it actually takes you to www.whitehouse.gov.
Still, if youre reasonably skeptical of what you get in the mail and take reasonable precautions, youre probably safe from both of these problems. Unfortunately, not everyone is so careful.
So expect to read on these pages soon about the poor folks who credulously clicked away and got taken. Its like watching an accident happen and youre powerless to stop it. Just be careful about where you go in that browser.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer