Score one for IE,.. misdirection

Discussion in 'Computer Support' started by Pennywise@DerryMaine.gov, Feb 8, 2005.

  1. Guest

    Just got an E-mail, and thought I'd pass it on, IE is the only browser
    that isn't affected.

    -------------

    The "Homograph Attack", a new and very nasty trick for misdirecting
    people to fake web sites:

    Many browsers now accept "International Domain Names", which allow
    non-English characters (for example, verfälscht.com).
    Unfortunately, some non-English characters look exactly like English
    ones. This allows evildoers to set up real-looking links to fake
    websites.

    See this page for example:

    http://www.shmoo.com/idn/

    You will see a couple of links that appear to go to www.paypal.com.
    In reality, the first "a" in "paypal" is a Cyrillic (Russian) "a".
    So the links go to a fake site instead. (This is an example page,
    and it's safe to click on the links.)

    This trick is known to work in the following browsers:

    Most Mozilla-based browsers
    (Firefox 1.0, Camino .8.5, Mozilla 1.6, Netscape, etc)
    Safari 1.2.5
    Opera 7.54
    Omniweb 5

    It does NOT affect Microsoft Internet Explorer (yet), because
    Microsoft hasn't added support for International Domain Names.
    (However, if you've installed a third-party Internet Explorer plug-
    in to add International Domain Name support, you may be vulnerable.)

    Technical details are here:

    http://www.shmoo.com/idn/homograph.txt

    --
    , Feb 8, 2005
    #1
    1. Advertising

  2. SgtMinor Guest

    wrote:

    > Just got an E-mail, and thought I'd pass it on, IE is the only browser
    > that isn't affected.
    >
    > -------------
    >
    > The "Homograph Attack", a new and very nasty trick for misdirecting
    > people to fake web sites:
    >
    > Many browsers now accept "International Domain Names", which allow
    > non-English characters (for example, verfälscht.com).
    > Unfortunately, some non-English characters look exactly like English
    > ones. This allows evildoers to set up real-looking links to fake
    > websites.
    >
    > See this page for example:
    >
    > http://www.shmoo.com/idn/
    >
    > You will see a couple of links that appear to go to www.paypal.com.
    > In reality, the first "a" in "paypal" is a Cyrillic (Russian) "a".
    > So the links go to a fake site instead. (This is an example page,
    > and it's safe to click on the links.)
    >
    > This trick is known to work in the following browsers:
    >
    > Most Mozilla-based browsers
    > (Firefox 1.0, Camino .8.5, Mozilla 1.6, Netscape, etc)
    > Safari 1.2.5
    > Opera 7.54
    > Omniweb 5


    It doesn't work in Mozilla 1.7.3 on this machine

    >
    > It does NOT affect Microsoft Internet Explorer (yet), because
    > Microsoft hasn't added support for International Domain Names.
    > (However, if you've installed a third-party Internet Explorer plug-
    > in to add International Domain Name support, you may be vulnerable.)
    >
    > Technical details are here:
    >
    > http://www.shmoo.com/idn/homograph.txt
    >
    SgtMinor, Feb 8, 2005
    #2
    1. Advertising

  3. SgtMinor wrote:

    >> This trick is known to work in the following browsers:
    >>
    >> Most Mozilla-based browsers
    >> (Firefox 1.0, Camino .8.5, Mozilla 1.6, Netscape, etc)
    >> Safari 1.2.5
    >> Opera 7.54
    >> Omniweb 5

    >
    >
    > It doesn't work in Mozilla 1.7.3 on this machine


    Works jimmy dandy on Firefox here.
    =?ISO-8859-1?Q?R=F4g=EAr?=, Feb 8, 2005
    #3
  4. SgtMinor Guest

    Rôgêr wrote:

    > SgtMinor wrote:
    >
    >>> This trick is known to work in the following browsers:
    >>>
    >>> Most Mozilla-based browsers
    >>> (Firefox 1.0, Camino .8.5, Mozilla 1.6, Netscape, etc)
    >>> Safari 1.2.5
    >>> Opera 7.54
    >>> Omniweb 5

    >>
    >>
    >> It doesn't work in Mozilla 1.7.3 on this machine

    >
    > Works jimmy dandy on Firefox here.


    Firefox says meeow here.
    SgtMinor, Feb 8, 2005
    #4
  5. SgtMinor appears, somewhat unbelievably, to have opined:
    > Rôgêr wrote:
    >
    >> SgtMinor wrote:
    >>
    >>>> This trick is known to work in the following browsers:
    >>>>
    >>>> Most Mozilla-based browsers
    >>>> (Firefox 1.0, Camino .8.5, Mozilla 1.6, Netscape, etc)
    >>>> Safari 1.2.5
    >>>> Opera 7.54
    >>>> Omniweb 5
    >>>
    >>>
    >>>
    >>> It doesn't work in Mozilla 1.7.3 on this machine

    >>
    >>
    >> Works jimmy dandy on Firefox here.

    >
    >
    > Firefox says meeow here.


    Worked first time for me. Please note that the solution is as follows:

    Type about:config in the address bar of Mozilla or Firefox.

    Scroll down to the entry network.enableIDN and double click it to read
    false.

    Exit Moz/Fox and restart. Now go back to the page and it will render a
    page not found message.

    --
    I sent ten puns to all my friends hoping that at least one
    would make them laugh.
    Sadly, no pun in ten did.
    Dennis Turner, Feb 8, 2005
    #5
  6. DC Guest

    Dennis Turner wrote:
    > SgtMinor appears, somewhat unbelievably, to have opined:
    >> Rôgêr wrote:


    >>> SgtMinor wrote:


    >>>>> This trick is known to work in the following browsers:


    >>>>> Most Mozilla-based browsers
    >>>>> (Firefox 1.0, Camino .8.5, Mozilla 1.6, Netscape, etc)
    >>>>> Safari 1.2.5
    >>>>> Opera 7.54
    >>>>> Omniweb 5




    >>>> It doesn't work in Mozilla 1.7.3 on this machine



    >>> Works jimmy dandy on Firefox here.



    >> Firefox says meeow here.


    > Worked first time for me. Please note that the solution is as follows:


    > Type about:config in the address bar of Mozilla or Firefox.


    > Scroll down to the entry network.enableIDN and double click it to read
    > false.


    > Exit Moz/Fox and restart. Now go back to the page and it will render a
    > page not found message.


    A link to complement your info. Note the Updates at bottom, also.

    http://www.boingboing.net/2005/02/06/shmoo_group_exploit_.html

    --
    DC Linux RU #1000111011000111001
    DC, Feb 8, 2005
    #6
  7. SgtMinor wrote:
    > Rôgêr wrote:


    >> SgtMinor wrote:


    >>>> This trick is known to work in the following browsers:


    >>>> Most Mozilla-based browsers
    >>>> (Firefox 1.0, Camino .8.5, Mozilla 1.6, Netscape, etc)
    >>>> Safari 1.2.5
    >>>> Opera 7.54
    >>>> Omniweb 5



    >>> It doesn't work in Mozilla 1.7.3 on this machine


    >> Works jimmy dandy on Firefox here.


    > Firefox says meeow here.


    Toggle to FALSE the network.enableIDN setting in about:config.

    --
    Blinky Linux Registered User 297263

    Who has implemented Usenet Solution #45933:
    Now killing all posts made with User-Agent G2
    Blinky the Shark, Feb 8, 2005
    #7
  8. wrote:

    > Just got an E-mail, and thought I'd pass it on, IE is the only browser
    > that isn't affected.


    Konqueror not fooled; Lynx not fooled; Dillo not fooled.

    Probably more that aren't effected; those are just what I tested here.

    Simple fix for Firefox already made.

    --
    Blinky Linux Registered User 297263

    Who has implemented Usenet Solution #45933:
    Now killing all posts made with User-Agent G2
    Blinky the Shark, Feb 8, 2005
    #8
  9. Ionizer Guest

    "Blinky the Shark" <> wrote in message
    news:...
    > wrote:
    >
    >> Just got an E-mail, and thought I'd pass it on, IE is the only browser
    >> that isn't affected.

    >
    > Konqueror not fooled; Lynx not fooled; Dillo not fooled.
    >
    > Probably more that aren't effected; those are just what I tested here.
    >
    > Simple fix for Firefox already made.
    >


    Changing network.enableIDN to false did not fix the problem in my Firefox
    version .98, even after I emptied my cache and restarted the browser. It
    looks like I've finally found a compelling reason to upgrade to version
    1.0.

    By the way, I read your account of the 1994 earthquake with interest. Do
    you keep your Gibson in a case these days?

    Regards,
    Ian.
    Ionizer, Feb 8, 2005
    #9
  10. Ionizer wrote:

    > "Blinky the Shark" <> wrote in message
    > news:...


    >> wrote:


    >>> Just got an E-mail, and thought I'd pass it on, IE is the only browser
    >>> that isn't affected.


    >> Konqueror not fooled; Lynx not fooled; Dillo not fooled.


    >> Probably more that aren't effected; those are just what I tested here.


    >> Simple fix for Firefox already made.


    > Changing network.enableIDN to false did not fix the problem in my Firefox
    > version .98, even after I emptied my cache and restarted the browser. It
    > looks like I've finally found a compelling reason to upgrade to version
    > 1.0.


    Did you do it in about:config? Someone reported in email that he'd
    adds a line to prefs.js manually, with no result. When he nuked that
    and toggled the setting through about:config, it worked fine.

    > By the way, I read your account of the 1994 earthquake with interest. Do
    > you keep your Gibson in a case these days?


    I sure do. And my bookcases are fastened to the studs in the wall. :)

    --
    Blinky Linux Registered User 297263

    Who has implemented Usenet Solution #45933:
    Now killing all posts made with User-Agent G2
    Blinky the Shark, Feb 8, 2005
    #10
  11. Joel Rubin Guest

    On Tue, 08 Feb 2005 01:43:23 GMT, wrote:

    >
    >Just got an E-mail, and thought I'd pass it on, IE is the only browser
    >that isn't affected.
    >
    >-------------
    >
    >The "Homograph Attack", a new and very nasty trick for misdirecting
    >people to fake web sites:
    >
    >Many browsers now accept "International Domain Names", which allow
    >non-English characters (for example, verfälscht.com).
    >Unfortunately, some non-English characters look exactly like English
    >ones. This allows evildoers to set up real-looking links to fake
    >websites.


    I saw this on OSSN.NET. I think it just goes to prove that if a
    product has a large enough user base it will get attacked.

    That's why most individual computer exploits seem to involve Windows
    and IE and most web server exploits seem to involve Apache over Linux
    or Unix with maybe some add on. (e.g. the RLSP Mailer exploit for PHP
    Nuke beloved of phishers and 419ers)

    Some products are better than others in handling attacks but it seems
    unlikely that anything sufficiently complicated is bulletproof.
    Joel Rubin, Feb 8, 2005
    #11
  12. Scrote Guest

    wrote:
    >> Just got an E-mail, and thought I'd pass it on, IE is the only
    >> browser that isn't affected.
    >>
    >> -------------
    >>
    >> The "Homograph Attack", a new and very nasty trick for misdirecting
    >> people to fake web sites:
    >>
    >> Many browsers now accept "International Domain Names", which allow
    >> non-English characters (for example, verfälscht.com).
    >> Unfortunately, some non-English characters look exactly like English
    >> ones. This allows evildoers to set up real-looking links to fake
    >> websites.
    >>
    >> See this page for example:
    >>
    >> http://www.shmoo.com/idn/
    >>
    >> You will see a couple of links that appear to go to www.paypal.com.
    >> In reality, the first "a" in "paypal" is a Cyrillic (Russian) "a".
    >> So the links go to a fake site instead. (This is an example page,
    >> and it's safe to click on the links.)
    >>
    >> This trick is known to work in the following browsers:
    >>
    >> Most Mozilla-based browsers
    >> (Firefox 1.0, Camino .8.5, Mozilla 1.6, Netscape, etc)
    >> Safari 1.2.5
    >> Opera 7.54
    >> Omniweb 5
    >>
    >> It does NOT affect Microsoft Internet Explorer (yet), because
    >> Microsoft hasn't added support for International Domain Names.
    >> (However, if you've installed a third-party Internet Explorer plug-
    >> in to add International Domain Name support, you may be vulnerable.)
    >>
    >> Technical details are here:
    >>
    >> http://www.shmoo.com/idn/homograph.txt
    >>
    >> --


    Slimbrowser V4.03 build 007 not fooled. it's probably the build number
    that provides the protection.
    --
    In my sentences I go where no man has gone before...I am a boon to the
    English language. -- George W. Bush
    Scrote, Feb 8, 2005
    #12
  13. Scrote wrote:

    > Slimbrowser V4.03 build 007 not fooled. it's probably the build number
    > that provides the protection.


    Is that another Gecko-based browser?

    --
    Blinky Linux Registered User 297263

    Who has implemented Usenet Solution #45933:
    Now killing all posts made with User-Agent G2
    Blinky the Shark, Feb 8, 2005
    #13
  14. On 08 Feb 2005, Blinky the Shark scribbled in
    24hoursupport.helpdesk:

    > Scrote wrote:
    >
    >> Slimbrowser V4.03 build 007 not fooled. it's probably the build
    >> number that provides the protection.

    >
    > Is that another Gecko-based browser?
    >


    It's a shell for IE.

    --
    The Old Sourdough
    In the future, the oceans will dry up, and people will find things they
    dropped in the toilet years ago.-George Carlin
    The Old Sourdough, Feb 8, 2005
    #14
  15. The Old Sourdough wrote:
    > On 08 Feb 2005, Blinky the Shark scribbled in
    > 24hoursupport.helpdesk:


    >> Scrote wrote:


    >>> Slimbrowser V4.03 build 007 not fooled. it's probably the build
    >>> number that provides the protection.


    >> Is that another Gecko-based browser?


    > It's a shell for IE.


    Oh. I couldn't tell from their home page -- but I wouldn't want anyone
    to know my product was an IE shell, either. :) With IE not effected by
    the exploit, then, maybe that new build *isn't* a security patch against
    it.

    --
    Blinky Linux Registered User 297263

    Who has implemented Usenet Solution #45933:
    Now killing all posts made with User-Agent G2
    Blinky the Shark, Feb 8, 2005
    #15
  16. On Tue, 8 Feb 2005 12:40:01 -0000, "Scrote"
    <> wrote:

    >>> It does NOT affect Microsoft Internet Explorer (yet), because
    >>> Microsoft hasn't added support for International Domain Names.
    >>> (However, if you've installed a third-party Internet Explorer plug-
    >>> in to add International Domain Name support, you may be vulnerable.)
    >>>
    >>> Technical details are here:
    >>>
    >>> http://www.shmoo.com/idn/homograph.txt
    >>>
    >>> --

    >
    >Slimbrowser V4.03 build 007 not fooled. it's probably the build number
    >that provides the protection.


    Slimbrowser is a shell for IE. If IE is not affected, SB won't be
    unless it adds the above support.

    Swill

    --
    The reasons for censoring Britt Ekland's erotic dancing in the room
    next to Edward Woodward in the Inn, in the film "The Wicker Man" are
    clear to me - after all, decency is perhaps the single most important
    factor to be considered in film-making. Too many film-makers
    concentrate on the way people think and feel and not, unfortunately,
    on how people *should* feel and think.
    I have seen both versions of the film, both with and without the
    lascivious Miss Ekland's performance, and I feel moved to ask you,
    does burning a virgin in a large wooden contraption actually improve
    crop yields, and is this not a better approach than employing the
    methods of genetic modification?
    Governor Swill, Feb 8, 2005
    #16
  17. elaich Guest

    Dennis Turner <> wrote in news:110gc3tg78mf0b0
    @corp.supernews.com:

    > Worked first time for me. Please note that the solution is as follows:
    >
    > Type about:config in the address bar of Mozilla or Firefox.
    >
    > Scroll down to the entry network.enableIDN and double click it to read
    > false.
    >
    > Exit Moz/Fox and restart. Now go back to the page and it will render a
    > page not found message.
    >


    If you had actually read the page at secunia.com, you would have read that
    this is not reliable and does not work.

    http://www.scovettalabs.com/advisory/SCL-2005.002.txt
    elaich, Feb 8, 2005
    #17
  18. elaich Guest

    Blinky the Shark <> wrote in
    news::

    > effected


    You mean "affected."
    elaich, Feb 8, 2005
    #18
  19. elaich Guest

    Governor Swill <> wrote in
    news::

    > Slimbrowser is a shell for IE. If IE is not affected, SB won't be
    > unless it adds the above support.


    Don't get the idea that IE is not affected because it's somehow better. It
    simply doesn't use IDN.
    elaich, Feb 8, 2005
    #19
  20. DC Guest

    elaich wrote:
    > Dennis Turner <> wrote in news:110gc3tg78mf0b0
    > @corp.supernews.com:


    >> Worked first time for me. Please note that the solution is as follows:


    >> Type about:config in the address bar of Mozilla or Firefox.


    >> Scroll down to the entry network.enableIDN and double click it to read
    >> false.


    >> Exit Moz/Fox and restart. Now go back to the page and it will render a
    >> page not found message.



    > If you had actually read the page at secunia.com, you would have read that
    > this is not reliable and does not work.


    > http://www.scovettalabs.com/advisory/SCL-2005.002.txt


    Jesus, you're right. }:O(

    http://secunia.com/multiple_browsers_idn_spoofing_test/

    So, at the link you offered... how does one *use* the IDNproxy.pac file
    that he (Michael Scovetta) suggests?

    --
    DC Linux RU #1000111011000111001
    DC, Feb 8, 2005
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Daniel Walzenbach
    Replies:
    2
    Views:
    598
    Daniel Walzenbach
    Nov 9, 2003
  2. Keyboard Cowboy

    OT: Score one for the MPD!!!

    Keyboard Cowboy, Dec 9, 2004, in forum: MCSE
    Replies:
    7
    Views:
    400
    catwalker63
    Dec 10, 2004
  3. PTRAVEL

    Score another one for Canon . . .

    PTRAVEL, Jun 21, 2004, in forum: Digital Photography
    Replies:
    9
    Views:
    288
  4. g wills
    Replies:
    0
    Views:
    312
    g wills
    Sep 8, 2004
  5. Giuen
    Replies:
    0
    Views:
    549
    Giuen
    Sep 12, 2008
Loading...

Share This Page