Print this article  |  E-mail this article  |  Comment on this article

IE Bug Makes 'Spoofing' More Believable

By Ed Oswald, BetaNews

December 17, 2004, 1:17 PM

Normally, it is easy to spot a spoofed or fake Web site if the user knows what he or she is looking for. However, a new IE flaw discovered by Danish company Secunia may change all that. Researchers found a way that a scammer could make a fake Web site look real -- right down to the URL of the real site.

What is troubling for Microsoft is that the bug was discovered in the IE version shipped with XP Service Pack 2, touted by the company as much more secure than its predecessor. The bug could occur in any Internet Explorer running ActiveX controls, although Secunia says it has only tested for the bug on XP computers.

"The problem is that users can't trust what they see in their browsers," Secunia Chief Technical Officer Thomas Kristensen told BetaNews. "This can be used to trick users to perform actions on what they believe is a trusted Web site, but actually these actions are recorded and controlled by a malicious site."

Kristensen said it was not necessary to alert Microsoft to the problem as the company watches the same mailing lists where the findings were posted, so they should be aware of the issue.

In a statement to BetaNews, Microsoft said that they are aware of the situation, although they have not received any reports of attacks attempting to take advantage of the vulnerability.

However, Microsoft found it "irresponsible" that the problem was not reported directly to the company. "We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests," Microsoft said.

Add a Comment (35 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By amitpagarwal

posted Dec 17, 2004 - 11:50 PM

Any software or site which can help you detect suspected fake Web sites ?

Amit
http://labnol.blogspot.com

Score: 0

By sfo

posted Dec 18, 2004 - 3:43 AM

Mozilla Firefox ;)

Score: 0

By Bugs4HJ

posted Dec 18, 2004 - 6:18 AM

...or Mozilla (The Suite) with MultiZilla installed.

Mozilla 1.8ax is faster and more secure than Mozilla Firefox :-)

Score: 0

By GoodThings2Life

posted Dec 17, 2004 - 9:20 PM

I can see it now... Secunia reporting themselves as a security threat against all products with Internet functionality.

Although their reporting of security issues is a noble effort, they are becoming more of a threat than a benefit considering how they continue to bypass the vendors in the whole communication loop. This nonsense of just posting public announcements without giving the vendors (Microsoft or otherwise) an opportunity to research and resolve the issues is absolutely ridiculous!

Score: 0

By bourgeoisdude

posted Dec 18, 2004 - 2:06 PM

Yeah, they are really getting on my nerves...

Score: 0

By GoodThings2Life

posted Dec 17, 2004 - 9:22 PM

Incidentally, the point was made below and it's correct that the vulnerability here seems to be with a specific ActiveX control, not IE or Windows itself.

So the fact remains... Secunia should have taken that into consideration and submitted the issue to the ActiveX developer, in this case Microsoft's Office Development team.

Score: 0

By spiked

edited Dec 18, 2004 - 1:43 PM

This is really not an IE vulnerability, except to the extent that the DHTML Editor Control "comes with" every copy of IE.

Secunia is being cynical when they say the "solution" is to disable ActiveX completely. You don't have to disable ActiveX. You can simply set the kill bit for the DHTML Editor control. If you're scared of editing the registry by hand, simply copy and paste the lines below into Notepad, save the file with an *.REG extension, and then double-click it to merge it into your registry.

---Begin copying with the following line---
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2D360201-FFF5-11d1-8D03-00A0C959BC0A}]
"Compatibility Flags"=dword:00000400
---End copying with the line above---

There is no way that Secunia was smart enough to discover this vulnerability without being 100% aware of the kill bit option. It's pretty obvious that they are being misleading. I urge everyone to visit the Secunia site and notice the full listing of recent advisories. How come we're not seeing the press report all those non-MS vulnerabilities? Probably just because it's not scandalous news unless it's Microsoft. If Peter Jennings says Microsoft, your grandma knows who that is. If he says Debian or Gentoo, she doesn't know and doesn't really care to find out.

Score: 0

By VMSBIGOT

posted Dec 17, 2004 - 3:40 PM

You can also in IE6SP2 goto Tools->Manage Add-ons, and disable the DHTML plugin. Its actually a part of Office, and wasn't installed on my machine until trying the test. After that, you can just disable it if you didn't have it before.

Also, don't use the reg file, as the '\' have been removed from the key name.

Score: 0

By RaveN-FH-

posted Dec 17, 2004 - 3:08 PM

Secunia seems to be more interested in making a name for themselves as opposed to helping protect the community. Or at least the argument could be made based on their quick to release without testing on all OSs and don't inform Microsoft first policies.

Score: 0

By eoswald

posted Dec 17, 2004 - 2:58 PM

Spiked -
It is no secret, frankly, that ActiveX has issues. Sitting here defending them would be foolhardly, because even MS is aware that many of their security problems result from ActiveX.

A question for you - how many of MS's security issues in IE have not been related to something with ActiveX? Not many at all.

Score: 0

By spiked

posted Dec 18, 2004 - 2:05 PM

To some degree, I have to admit that ActiveX is like a loaded gun. Handled with reasonable care, it can valuable and safe, but admittedly it is more dangerous than a rubber chicken. But let's look realistically at the majority of people who actually get compromised by ActiveX exploits in the wild. There are sites which actually say "click here and then click Yes/OK when you get a security warning, then you'll be able to download our [insert name of bait...MP3, warez, whatever]" and users will simply follow the instructions without pausing for a second to ponder whether the security warning exists for a reason. Time and time again, when I question a user whose computer is infested with spyware, trojans, viruses, etc. as to what happened, they eventually admit that, well, they might have downloaded [smiley face plug-in, talking gorilla, whatever] and clicked Yes to a security prompt along the way "...but the web site said it was safe!" Yup, the rogue web site itself said it was safe, so they believed it.

How really hard would it be to convince to simply prompt a Firefox user to go into their Advanced Javascript Options dialog and check all the checkboxes, thus allowing a site to overlay the real status bar and address bar? Social engineering is the absolute biggest vulnerability of all time. Where's Secunia's advisory for "Dumb People 1.0"?

In a world where vulnerabilities are being found repeatedly in things like Acrobat Reader, it's really hard to call ActiveX vulnerabilities substantially more dangerous than any other type. All it takes is one hole, and no matter what you run, your system has at least one hole that you don't know about yet. Just a matter of time and platform attractiveness. If you want to be safe, run a TI 99/4 (and keep it off the Internet).

The DHTML Edit Control has been around for over 8 years. I think this is probably it's 2nd vulnerability in that amount of time. Sure, I'd like it to be better, but there's lots of stuff out there which is much worse.

Score: 0

By mjm01010101

posted Dec 17, 2004 - 3:49 PM

Actually quite a few more than activex. I would say Microsoft's "Zones" security feature is their biggest headache. Spoofers just put their code in the trusted zone and they can run a lot more exploits.

Score: 0

By bourgeoisdude

edited Dec 18, 2004 - 2:15 PM

Microsoft 'zones' is not a vulnerability--mostly activeX vulnerabilities are exploited in order to fool the system into thinking the virus is being run from the "local" zone. ActiveX lets a virus in, and the virus messes up the zone problem. Yes, there have been some vulnerabilities directly related to security zones, but how was the malware/virus accessed in the first place? Yeah, you guessed it--either by a dumb user clicking "Always trust content from ScrewMyPC(r) Inc." on a rogue website or by using a completely seperate security hole.

Score: 0

By mjm01010101

posted Dec 18, 2004 - 3:32 PM

You have no idea what you are talking about. I appreciate the reply, however.

Score: 0

By bourgeoisdude

posted Dec 18, 2004 - 3:41 PM

Really? Have you an MCSE certification in Windows?

Score: 0

By mjm01010101

posted Dec 20, 2004 - 1:55 AM

Must Call Somebody Else? Nope. I do have 10 years experience as a systems administrator for Windows Systems. I don't have time for silly MS certifications, too busy making money with OT for patching their servers and posting on betanews. ;)

Score: 0

By bourgeoisdude

edited Dec 20, 2004 - 11:45 AM

This'll be my last reply--while I haven't been a system admin for over 10 years, I have had at least that in experience with windows, and I have setup a network with systems as old as Windows NT 4.0 Server and Win 3.11 WFW clients. No offense or anything--but it really hacks me off to have someone downplay the certificatios I spent nearly $2,000 taking (MCSE in NT 4.0, MCP in 6 Windows 2000 tests, in Windows XP pro, and Windows 2003 Server) and 3 years of hard work achieving. Yes, some MCSE's are nothing but show, and went to a "boot camp" to get certified and forget everything after they took the test, but not me; I know the stuff. I'm getting off subject--just don't downplay me or any other MCP's as idiots just because I have an MCSE.
Oh, and the 'ScrewMyPC' thing was a joke, in case you didn't know...

Score: 0

By GoodThings2Life

posted Dec 20, 2004 - 7:18 AM

Perhaps you should spend more time building stable servers and applying those patches faster and limit your posting time here...

Score: 0

By yuppysniff21

posted Dec 21, 2004 - 3:30 AM

either that or go back to primary school! lol

My car better than yours!
My dads bigger than yours!
I've got a AMD6000000000000!

Get a life lads i've just spent 10 wasted mins looking at your petty notes, what a waste of time!
please post something interesting for us adults :0)

Score: 0

By nightops

posted Dec 21, 2004 - 9:47 AM

You guys...geez. MS certs do add credibility to an argument. However, 'even the Devil can quote Scripture for his purpose'. Is MS the root of all evil, no. Is Unix/Linux better than Windows? Depends on what you're using it for. Does a Mac have any purpose in true computing? Believe it or not, yes. These are all facts, however whether or not you believe an MSCE makes a person more or less believable or credible is merely an opinion and a cummulation of life experiences. As far as going back to 'school', anyone daring to make a comment about a person's capabilities without having a first-hand account of a person's capabilities is suffering from dillusion and will most likely be ignored by those of us considered "in the know."
**ASIDE FROM ALL OF THIS, JUST TO KEEP FROM BEING CONSIDERED A FLAMER**
The biggest vulnerability to ANY OS is the end user. If the end user doesn't have enough common sense to be cautious and do their homework, then they deserve what they get. This, unfortunately, can only be solved by telling the poor miserable soul to either get a clue/education/certification/experience, or pack the computer back up and return it/sell it.

Score: 0

By Comit

posted Dec 17, 2004 - 2:11 PM

Judging by Microsoft statement at the end there, it sounds like they're really really getting frustrated and annoyed about all these security problems, lol.

Score: 0

By Pipewrench

posted Dec 17, 2004 - 2:15 PM

I agree :-)

Serves 'em right though. That's why I really hope more and more people will start using Firefox.

I know that the more people that use Firefox the more bad stuff that will be written for it but at least then people have a choice.

-Pipewrench

Score: 0

By Fidelio

posted Dec 18, 2004 - 11:35 PM

Who says that Firefox is bullet-proof? Every single software has bugs, so Firefox won't be the exception. It is just matter of time to begin to see threats affecting it.

Score: 0

By bourgeoisdude

edited Dec 18, 2004 - 2:37 PM

Why are people so upset that others still use Internet Explorer? I don't use IE in order to boycott FireFox, I use it because it's what I want to use. Encourage people to use FireFox--heck, even tell them not to use IE, but stop acting as if you want FireFox to gain support only so that the evil, sinister Microsoft Corp.'s browser will not continue to prey upon weak-minded users. Yes, many people use IE because it comes on their computer--if Mozila Corp. came up with their own operating system, wouldn't they include their own browser? Besides, even if Windows came with Firefox and not IE, I STILL choose Internet Explorer. Has nothing to do with hating firefox, I just prefer IE.

Score: 0

By RaveN-FH-

posted Dec 17, 2004 - 2:56 PM

for the love of god though: a lot of sites don't display properly in firefox. you can pipe all the security advantages, pop-up blocking, and cleaner design you want but when the page looks like crap you've failed on the primary goal. don't quote me a bunch of w3 standards crap either. microsoft should be more heavily involved in writing those "standards" when they are the standard for "web browsers."

as much as i hate netscape at least they're going to stick in the ie rendering engine as an option. i'd love nothing more than to use firefox with the ie engine.

Score: 0

By Bugs4HJ

posted Dec 20, 2004 - 1:09 PM

The fact that lots of people use something doesn't make it an official standard.

I guess you still walk to school, or the office, because that was the main and primary 'standard' but maybe it is time for you to start biking or driving a car, because that is faster, more secure.

Mozilla is more W3C compliant than any other browser available today, so that makes it a real standard for people that use modern transportation these days :-)

Score: 0

By p0rt1s

posted Dec 17, 2004 - 10:38 PM

Since when is microsoft a 'standard' for the web?! Open your eyes and try to think once in a while.

Score: 0

By bourgeoisdude

edited Dec 18, 2004 - 2:38 PM

Umm...since I "opened my eyes" and saw that IE is still being used more than all other internet browsers combined...

Score: 0

By p0rt1s

posted Dec 20, 2004 - 11:33 AM

That just shows how many clueless people there are out there in this world.

Score: 0

By nightops

posted Dec 21, 2004 - 9:55 AM

Another slanderous rant about FireFox being the best ever/most secure/etc...blah blah blah. I scrapped FireFox in lieu of Opera since it is every bit as good as IE/FireFox combined...but you have to pay for Opera..or get a freebie version with ads (that you can hack). Oh wahhhhh... I use IE & Opera b/c I'm a web designer/programmer and IE does control over 96% of the market for browsers. Until anyone else crosses the 15% mark, I won't even worry about it. Opera works on every site, I haven't met one site with it that it didn't work on... It also has pop-up blocking/multiple windows without having a ton of things showing up in your task bar/etc... I swear, some of the people in here *sound* as if they are freshly graduated and have 0 true life experience.

Score: 0

By mjm01010101

posted Dec 17, 2004 - 3:53 PM

Who cares if the site looks like crap? Don't visit the site then. The author of the site will get a cluestick and modify their site to standards after they notice people leaving. If they don't modify it--- I could care less.

And I don't want to visit sites that don't comply with firefox. IT'S MY BROWSER, and I'm not going to change my browsing habits for some silly .asp "guru."

Score: 0

By Bugs4HJ

posted Dec 18, 2004 - 6:20 AM

No, make them aware of their problem, that would help you, and all other none MSIE users ;)

Score: 0

By SomeGuy

posted Dec 17, 2004 - 7:17 PM

Yes. The web site owner would conclude that nobody uses Firefox (from server log) and act accordingly.

Score: 0

By GoodThings2Life

posted Dec 17, 2004 - 9:16 PM

LMAO! Right you are... although I have yet to find many sites that flat out don't work in Firefox. Even Microsoft's sites work well with some minor cosmetic appearance matters (none of which significantly prevent functionality or navigation).

Score: 0

By fizz

posted Dec 20, 2004 - 8:23 AM

Ive only found a couple of things that flat out DO NOT work in IE.

Coppercom Controller for Maintaining your softswitch, and of course anything that requires ActiveX which is a given.

Score: 0

Sep 5 - 8:44 PM ET Mozilla's Aza Raskin: The journey back to Ubiquity

Sep 5 - 7:10 PM ET Red Hat buys virtualization specialist Qumranet

Sep 5 - 7:06 PM ET Analysts: Online news viewers rising as newspaper readership falls

Sep 5 - 6:55 PM ET Where does Sarah Palin stand on technology issues?

Sep 5 - 6:51 PM ET Adobe Flash to deliver NFL games in full

Sep 5 - 4:29 PM ET Exclusive beta invitation from GameTap and BetaNews

Sep 5 - 4:09 PM ET Report: OLPC buy one, give one deal returns

Sep 5 - 3:45 PM ET No ruling yet in TiVo vs. EchoStar patent case

Sep 5 - 3:37 PM ET Google Analytics starts tracking Chrome, with intriguing results

Sep 5 - 2:14 PM ET Comcast challenges FCC's authority in sanction appeal