Explolit for all browsers on all platforms

aidan_walsh

The following has been quoted from http://www.apple-x.com

In a rare twist in computing today, the infamous Schmoo group revealed a nasty, nasty browser exploit that works on all modern browsers that support IDN (international domain names), which does NOT include Internet Explorer (unless you've loaded a plugin to support IDN).

Don't believe it?

Click here to enter "paypal"
Click here to enter "paypal via ssl"

This is some seriously bad news. Are we about to see a whole flurry of phishing scams, and ones which consumers, even vigilant ones, are vulnerable to?

Oh the irony, a security exploit that doesn't affect Internet Explorer by default.

Safari users: A temporary patch can be downloaded here.

It does not stop you from visiting the spoofed website, but it does pop up a dialog saying that the website you're about to visit could be spoofed.

Mozilla/Firefox users: Type about:config into the address bar, and run a filter for IDN. Double click the single value that appears to disable support, and the exploit will no longer be of concern.

It has come to my attention that a bug exists in Firefox (all versions) that using the above fix will only work for the current session, and after restarting the browser IDN support will be enabled again, even though the value will still read disabled. This has been fixed in the Nightly Build, whiuch you can download here.

Mozilla's Nightly Build Disclaimer wrote:

Created most weekdays from the previous day's work, these builds may or may not work. Use them to verify that a bug you're tracking has been fixed. We make nightly builds for testing only. We write code and post the results right away so people like you can join our testing process and report bugs. You will find bugs, and lots of them. Mozilla might crash on startup. It might delete all your files and cause your computer to burst into flames. Don't bother downloading nightly builds if you're unwilling to put up with problems.

I'm afraid I don't have solutions for other browsers, but if they get posted below I'll edit them into this post.

More information about IDN (Internationalized Domain Names) can be found on Wikipedia.

seamus

Ooh Sneaky.

Ridiculously obvious when one thinks of it. The domain name will still show up in the bastardised form in the Address bar though, like in meh screenshot.

Who'd have thought that MS's piss-poor compatibility would be a saving grace?

[Edit: Actually that does work in IE for me, and I've no plugins. Shows up in the address bar as www.paypal.com

I also disabled IDN in firefox, it still shows links as www.paypal.com, but if the website fails, the URL doesn't appear in the address bar, so I don't know if his works.

aidan_walsh

Well, it appears the domains have either been overloaded or taken down, but when I tried earlier it worked fine (FF 1.0), with the proper address (www.paypal.com) in the address bar, and it just displayed a HTML page with "meow" written on it

seamus

So I think the lesson here is:
If any website asks you to submit details, type it into the address bar manually, don't fill in data from followed links

daveirl

This post has been deleted.

aidan_walsh

daveirl wrote:

This post has been deleted.

Because it affects IE if you have a patch installed that allows IDN domains to be supported. It might not effect it by default, but the potential is there, and to write off IE vulnerability when writing a post about it would be just a little irresponsible, right?

daveirl

This post has been deleted.

Mutant_Fruit

Erm.... it does affect IE... here's my IE screenshot after opening said link. The only indications i opened a dodgy link are in the error message itself, and the title of the webpage....

I think the IE's ability to show the "correct" address in the address bar and still go to the wrong site is MUCH worse than Firefox's ability to show the fecked up version in the addressbar. Still, tis quite a nasty bug.

seamus

Mutant_Fruit wrote:

I think the IE's ability to show the "correct" address in the address bar and still go to the wrong site is MUCH worse than Firefox's ability to show the fecked up version in the addressbar.

I don't know if it does. I doubt there'd be this much hoo-ha if it did show the fecked up version in the address bar. Did anyone try FF on the "paypal" links while it was still up?

aidan_walsh

Mutant_Fruit wrote:

Erm.... it does affect IE...

Interesting... Do you have any third party plugins installed that might have enabled IDN support? Because every report I have seen says that IE doesn't support it without a third party plugin...

Mutant_Fruit

Well, as far as i know, nothing has been installed for IE except whats been on windows update. So unless the plugin was available there... its not installed.

By showing the "correct" address in the toolbar, it makes it that bit harder to know you've been bolaxed.

aidan_walsh

Mutant_Fruit wrote:

Well, as far as i know, nothing has been installed for IE except whats been on windows update. So unless the plugin was available there... its not installed.

Interesting...

Mutant_Fruit wrote:

By showing the "correct" address in the toolbar, it makes it that bit harder to know you've been bolaxed.

Uh, thats the point of the exploit Unfortuatly, its also the point of IDN, since it was designed to allow non-ASCII characters to be used in domain names. I guess its not a security exploit in the traditional sense, since it uses the standard as it was designed to be used, just not for the purpose it was.

seamus

Mutant Fruit wrote:

Well, as far as i know, nothing has been installed for IE except whats been on windows update. So unless the plugin was available there... its not installed.

Same for mine. Just a fully patched IE6, on XPSP2, there are no plugins.

Peteee

IE does something right, and it still manages to get bashed!

Serbian

Peteee wrote:

IE does something right, and it still manages to get bashed!

In fairness, it appears that IE is prone to the attack after all. Even it the bug didn't affect IE however, it would have been because IE was not conforming to web standards, so it would deserve to be bashed anyway.

Vikings

Where abouts in about:config is the IDN option? I can't find it for the life of me.

aidan_walsh

Run the filter for IDN, and it should display a single entry called network.enableIDN.

aidan_walsh

I have added new information regarding the Firefox fix into the original post. It appears that a bug existed in all versions of FF where using the above fix will only work for the current session, and after restarting the browser IDN support will be enabled again, even though the value will still read disabled.