Exploit for every browser except IE...

[Richard M]

...and with good reason:

Quote:

East coast hacker con Shmoocon ended today and they had a nasty browser exploit to show off... using International Domain Name (IDN) character support to display fake domain names in links and the address bar. Their examples use Paypal (with SSL too) and this looks very useful for phishing attacks. Interesting note that it works in every browser *except* IE (which makes this exploit a lot less dangerous in the end, I suppose)."v The reason IE isn't vulnerable is because it doesn't natively support IDN; with the right plug-in, it too is vulnerable.

http://it.slashdot.org/article.pl?si...4&tid=95&tid=1

http://www.shmoo.com/idn/

[MovedGoalPosts]

Mr Gates has actually provided software that by default is more secure than the offerings of others

M$ much vaunted security edicts must count for something then. Wohoo

[punky]

It is ironic though, that being a naff, featureless browser is what stops the virus from attacking it.

thanks to mr_love_monkey for a potential workaround for Firefox

http://www.cableforum.co.uk/board/sh...65&postcount=1

[nffc]

It's pretty easy to fix though.

[Halcyon]

Wow.
Microsoft can have a little "It didnt get our browser" celebration today.
for once that IE prooves to be useful.

[El Diablo]

Quote:

Originally Posted by Halcyon

Wow.
Microsoft can have a little "It didnt get our browser" celebration today.
for once that IE prooves to be useful.

Ummmm... I don't get this. Surely this issue has nothing to do with M$ IE being 'secure' but down to the fact that these people managed to register an IDN like that anyway? If anything, Verisign are at fault for failing to protect their existing customer's interest when opening up xn-- registrations, something that not *all* registries are doing... yet. There's a consultation paper going out shortly for registrations under .uk, to establish whether there's a requirement to handle IDNAs or not. I can imagine that there will be a need, but at least with .uk, we're safe in the assurance that we won't get shafted by the registry - unlike gTLDs whereby there's very little public consultation on the effects of opening up new protocols, such as IDNA. We've seen Verisign do daft things before, this isn't anything new and is not something that should be directed at browser vendors. If anything, M$ have once again displayed their inability to keep up with the times by not supporting IDNA anyhow, why are they the only ones that don't? And ... no, before you suggest it, it has nothing to do with security conscience

Quote:

Originally Posted by punky

It is ironic though, that being a naff, featureless browser is what stops the virus from attacking it.

Yeah, that's exactly the point. a) it wasn't a virus, there's quite a difference here; and b) IE *is* featureless, they just happened to be lucky here, in that it's *so* featureless it doesn't support IDNs - yet there *are* registries out there that do... Why are M$ so far behind?

Quote:

Originally Posted by MovedGoalPosts

Mr Gates has actually provided software that by default is more secure than the offerings of others

M$ much vaunted security edicts must count for something then. Wohoo

Nah, again... IE is *not* more secure - it just doesn't support the new IDN protocol, simple. That's *not* necessarily a good thing, whatsoever. The fact that IE is upgradable to support IDN is a distinct indication of this. If it was a security issue, then the upgrade wouldn't be available. It simply hasn't been fully distributed because there is not yet a widespread requirement for it - although IDN has been launched in various countries, with much success.

I wonder if Avant is vulnerable, since it MAY have a plugin for it

[Mr_love_monkey]

Quote:

Originally Posted by homealone

thanks to mr_love_monkey for a potential workaround for Firefox

http://www.cableforum.co.uk/board/sh...65&postcount=1

I was just going to say I'd already mentioned that... still as long as as many people as possible read it, that's all that matters

[dragon]

and an even more simple work around is not to click links to things like paypal and to type em in yourself...

but seriously its probably not as such a big thing as everybody makes out and as someone previously said its more to do with the registry itself rather than the browsers that support the feature...

[Raistlin]

We'll probably find that the latest round of Windows Updates have enabled IDN support on IE

[dragon]

Quote:

Originally Posted by Raistlin

We'll probably find that the latest round of Windows Updates have enabled IDN support on IE

lol, wouldn't put it past em

[MadGamer]

Quote:

Originally Posted by Raistlin

We'll probably find that the latest round of Windows Updates have enabled IDN support on IE

[Richard M]

Update: Mozilla have now decided to disable IDN support by default in their browsers.
More info here:
http://slashdot.org/article.pl?sid=0...&tid=154&tid=1

EDIT: I've never seen one of these URLs before, but in case you're wondering what it looks like...
http://vÃÃâ€*’Ãâ...€šÃ‚¤vtak.se/ (doesn't work in IE)

[punky]

Hmmm. I have disabled IDN in FireFox, but that website works. I thought it would have given me some warning or error.