IE URL Spoofing Vulnerability

From:         Patrick Douglas Crispen 
Subject:      Tourbus - 19 Dec 03 - IE URL Spoofing Vulnerability

TODAY'S TOURBUS STOP: Internet Explorer URL Spoofing Vulnerability

The Internet Tourbus - U.S. Library of Congress ISSN #1094-2239
Copyright © Bob Rankin and Patrick Crispen - All rights reserved

Howdy, y'all, and greetings once again from deep behind the orange curtain in beautiful Irvine, California, site of man's first controlled, powered flight in a heavier-than-air machine.

In honor of the anniversary of the Wright brothers' flight, I hope you'll take a moment to visit the "Man Will Never Fly Memorial Society" website at

http://manwillneverfly.com/

Most of the members are active or retired military aviators, and the society's motto is, quite simply, "Birds fly. Men drink." You may laugh, but it is hard to dismiss the fact that the society accurately predicted yesterday's failed reenactment at Kitty Hawk:

http://news-observer.com/front/story/3123947p-2828519c.html

TOURBUS is made possible by the kind support of our sponsors. Please take a moment to visit today's sponsors and thank them for keeping our little bus of Internet happiness on the road week after week.

On with the show ...

Internet Explorer URL Spoofing Vulnerability Audience: Every PC user who uses Microsoft Internet Explorer, Outlook Express, or Outlook

If you use Internet Explorer, Microsoft Outlook Express, or Microsoft Outlook, you're vulnerable to something called "URL Spoofing." Is this earth-shattering? No. Should you lose sleep over it? No. Should you at least know a little about it in order to protect your personal information should something strange happen? ABSOLUTELY!

According to Microsoft,

a malicious user could create a link to a deceptive (spoofed) Web site that displays the address, or URL, to a legitimate Web site in the Status bar, Address bar, and Title bar.

Why is this a bad thing? Well, InformationWeek warns that

This flaw would make it appear to Internet users that they're visiting a banking Web site, for example, when that site is actually a front for fraudsters attempting to collect sensitive financial information...

How can you tell if you're vulnerable? Just hop on over to

http://netsquirrel.com/spoof/

and click on the microsoft.com link on that page. If Microsoft's website loads in your web browser, move along. There's nothing to see here.

However, if the page that loads isn't Microsoft's but rather eBay's, you're completely vulnerable. And remember, this vulnerability doesn't just affect Internet Explorer, it also affects your copies of Microsoft Outlook and/or Outlook Express.

Now for the REALLY bad news: There's no way to fix this problem. Yet. Should you panic? As I said, no! But, until Microsoft finds a fix, you should take the following precautions:

1. DON'T TRUST HYPERLINKS IN HTML-FORMATTED EMAIL MESSAGES (emails that display images and hyperlinks and look very much like web pages) even if those email messages are from your friends or family. This is especially true for hyperlinks in email messages from Amazon, AOL, eBay, PayPal, your bank, your credit card company, or any other company you normally do business with. If any web site, financial company, or commercial entity sends you an email asking you to click on a hyperlink in that email to update your account information, DO NOT CLICK ON THAT LINK. Because of Internet Explorer's URL spoofing vulnerability, you simply cannot trust hyperlinks in HTML-formatted emails to point to the correct URL.

2. BE SUSPICIOUS OF HYPERLINKS ON WEB PAGES YOU HAVE NEVER VISITED BEFORE. To be completely honest, the chance of you running into a spoofed URL on a web page is pretty slim, and the chance is all but zero on the big .com sites you visit every day. More likely than not, the criminals will be spoofing URLs in email messages, not on Web pages. But, if you are at a web page you have never visited before, exercise a little caution. If something feels wrong, leave.

3. THE BEST WAY TO AVOID BEING HIJACKED BY A SPOOFED URL IS TO MANUALLY TYPE THE URL USING INTERNET EXPLORER'S ADDRESS BAR. Remember, the spoof only affects hyperlinks in email messages and web pages, not addresses you manually key in to your Internet Explorer address bar. So, to be really safe, if you need to access your account information at Amazon, AOL, eBay, PayPal, your bank or financial institution, your credit card company, or any other company you normally do business with, manually enter the URL.

Some will also argue that this URL spoofing vulnerability is a perfect reason to abandon Windows/Internet Explorer/eating with utensils. That’s for you to decide. However, since my email inbox will explode if I don’t say this, the smarter and better looking people long ago abandoned Internet Explorer in favor of Mozilla, Safari, and Opera (among others.) These smarter and better looking people look upon Internet Explorer users with abject contempt, but they will happily welcome you back into the smart and pretty club once you regain your senses and adopt a different web browser and/or operating system.

By the way, does this URL spoof actually affect Mac and *nix users? Yes and no. If you click on the Microsoft link on http://www.netsquirrel.com/, you'll most likely be taken to eBay but the URL in your address bar will look funky. That’s good. It’s supposed to look funky. What’s different in Internet Explorer is that the spoofed URL *DOESN’T* look funky at all. And that’s bad.

Finally, Broadband Reports has done the best job of covering this vulnerability. You can find their latest update at

http://www.dslreports.com/shownews/36402

My guess is that Microsoft will patch this vulnerability when they release their next batch of critical updates on January 14th. But I could be wrong. Until the patch is released, exercise a little caution and you should be fine.

Personal Favor: CSS Help Audience: Everyone

I've been playing around with (finally) redesigning my netquirrel.com homepage, this time getting rid of all the tables and using cascading style sheets instead. Unfortunately, I have no clue what I am doing. Which is probably why http://www.netsquirrel.com/ currently looks so, well, icky.

If any of you would like to take a stab at making the page look less icky, drop me a line. I need all the help I can get. :)

Cool Tricks and Trinkets Audience: Everyone

Bob Rankin asked that I share this with you:

The Cool Tricks and Trinkets Newsletter is written by Charles Kessler, who has been involved in the online world since the early nineties. Kessler has an eclectic professional background, having worked as a stock broker, theater operator, restaurant owner, resort manager and online marketing wizard. He offers weekly insights into new, fun, useful and interesting sites on the Internet.

If you think that the Web is dead, Cool Tricks and Trinkets will convince you otherwise. If you're craving a regular feed of cool and offbeat websites, you'll enjoy this free newsletter.

http://www.tricksandtrinkets.com/

Sounds cool. :)

THE NEXT BEST THING

Linda from Marlinton, West Virginia recently wrote and said "The next best thing to Tourbus is the Smart Computing magazine that you guys recommend. I've been getting it since last summer and it has solved numerous problems for me and my friends."

Thanks, Linda! We hope other Tourbus riders will discover the Plain English answers to their computing questions that Smart Computing delivers every month. Do you want to speed up your PC? Get rid of spyware and keep hackers out? Try Smart Computing today -- get your FREE TRIAL issue NOW!

http://tourbus.com/smart.htm

That's it for today. Have a safe and happy week and we'll talk again soon!

           .~~~.  ))
 (\__/)  .'     )  ))       Patrick Douglas Crispen
 /o o  \/     .~
{o_,    \    {              crispen@netsquirrel.com
  / ,  , )    \            http://www.netsquirrel.com/ 
  `~  -' \    } ))    AOL Instant Messenger: Squirrel2K
 _(    (   )_.'
---..{____}                  Warning: squirrels.