Internet Explorer Hole Again !!!

A recently discovered security hole in Internet Explorer 6, and possibly earlier versions as well, means that users can easily be fooled into downloading what appear to be safe files but could in fact be anything at all.

Combine that vulnerability with an earlier one which has not been fixed, whereby a user can be similarly fooled into going to a website which looks genuine but isn't, and you've got a massive flaw leaving many totally exposed.

Microsoft failed to add suitable patches for the vulnerabilities in its January updates and many believe that the holes cannot be fixed. In other words, at any time you could be visiting a spoof site and downloading spoof files without ever knowing.

Theres a test here to see if your browser is vulnerable

http://www.secunia.com/internet_explorer_address_bar_spoofing_test/

I try and i fail CRAP!!!

 

Darn I failed too.

 

doesn't work in MyIE2

 

Same with me Kodo.

BTW, Panda caught the file each time, regardless of browser.

So while MyIE gives the access denied or whatever message accessing the site, the file download is still there.

All hail Panda!!

 

whadaya mean. I have panda. Mine did not catch it. ITs been updated today.??

 

Lookie here:

 

I don't understand, Adrynalyne. I clicked the link in the first post above, then I clciked the test link (and got an address link that was clearly bad, not a real microsoft addy) in Firebird. Then I held my pointer over the test link and it showed a black bar next to the phony site address, so I knew there was a problem.

That means Firebird .7 passes the test.

Now, what's this about a FILE that Panda catches (sometimes?)? I didn't see any downloads anywhere.

Pls xpln.

 

Look at the original post my friend.

Clark_Kent is describing two exploits.

Then he goes on two describe combinng this exploit with one that sppofs the URL.

Imagine the chaos that could ensue, if someone was malicious enough to do it.

MyIE doesnt respond to the URL spoof, but falls flat on its face for the file download(it does indeed download).

IE fails altogether.

 

Thats how I understand it anyway.


Either that, or Panda is simply finding the spoof and reporting it.

But I doubt it, because MyIE won't open the site at all, and denies access.

Yet the file STILL gets downloaded, even though you never visited.

 

I'm sorry, I must be either tired or just dense tonight. I re-read the original post at the top of this page, and there's no link to a file download, even though he speaks of a file download flaw. I've never seen a link to a phony file anywhere.

Then you speak of a file that you downloaded, and Panda caught the virus-spoof in it.

"...falls flat on its face for the file download (it does indeed download)"
WHAT file download? What URL has the file that Panda caught (so we can see whether OUR AV catches it)?

(My apologies if this is really dumb.)

 

The file gets downloaded automatically by clicking the URL.

As I was saying Panda may simply be addressing that it is catching a spoof in progress, but it still doesn't explain why MyIE denies access and yet the file stil downloads.

Actually, I guess that file is just a copy of the site in Temporary Internet Files.

I guess MyIE still has a flaw of sorts.

Still have to tip your hat to Panda for catching it.

Our Corporate NAV didnt.

Forgive me for the confusion i caused.

 

Me, too. I think I understand now that you were just referring to the html page being loaded into the cache. Nothing went off on my machine either, so FB tells all but loads anyway.

 

Forgive me, what does FB stand for?

 

You missed the rest of my posts Star.

And I am dsoublechecking right now over Remopte Desktop, but I am pretty sure I will get the alert from panda that file was downloaded to Temporary Internet Files. Its simply a copy of the site, and Panda pulls up the exploit.



I had to update MyIE first however, so it will be a few minutes.

 

I think he meant Firebird (maybe)

 

Thanks.


*Cough* I have to reinstall MyIE2 again.


MG has an outdated version of MyiE for download.

Gonna be a few more minutes.

 

*Pokes Star17 in the shoulder*

I told you...

 

Ok thats weird. Updated MyIE2.

I can get to the website.

It shows up as www.microsoft.com

Panda went silent.

EDIT: it actually shows what BillH posted.

 

Ditto, I fail too.!!!

 

Hmmmm . . . wondering about the wording of the test. It says:
"If only the words microsoft.com appear, then your browser can be spoofed."
Here's the url it placed in my bar :

http://www.microsoft.com
00@secunia.com/internet_explorer_address_bar_spoofing_test/

Obviously the words MS.com do appear -- but not just the words MS.com. Also, nothing downloaded or even indicated that something had tried. Unless it was a udp packet that Zone Alarm blocked about that time. SlimBrowser gave no indication of a file being sent.

So, does this mean I can or cannot be spoofed?

edit: I followed the above url and it took me back to the test page.

 

The file I was referring to is a cached copy of the site. Panda saw the exploit and reported it. Panda downloaded a cached copy even though it denied access.

I don't think you are going to see any download dialogs

However, oddly enough, I installed an updated MyIE2 and panda has grown silent, even using IE. Although it might be some weird quirk, I am using my computer through RD, maybe it doesn't properly load the AV after I reboot it. Since the reboots, Panda hasnt given the warning at all.

 

Using MyIE2 (recently updated to 0.9.13), and ZoneAlarm Free

No download dialog appears

Same URL in my address bar as in billH's post:

http://www.microsoft.com
@secunia.com/internet_explorer_address_bar_spoofing_test/

 

mwhaha i love firebird

 

The spoof tried to come through but My McAfee picked it right up and deleted it as a Trojan/Virus.
I tried to force the issue and again McAfee deleted it and in addition, My Zone Alarm refused acess to the site under those conditions.....
I have quite a bit more than normal protection, but well worth it....
Three years and no virus/hoax/trojan sucessfully made it through...
Mabey just lucky and/or have the right protection....


WAX

 

I get this with MYIE2

htt*://www.microsoft.com
%00@secunia.com/internet_explorer_address_bar_spoofing_test/


This is what I got with IE

htt*://www.microsoft.com

Although there was no file download dialog with either one

WIth Firebird I get

htt*://www.microsoft.com%01%00@secunia.com/internet_explorer_address_bar_spoofing_test/


With opera I get
htt*://www.microsoft.com
%00@secunia.com/internet_explorer_address_bar_spoofing_test/

+ with opera a box opens and states this

What to use what to use

I guess IE failed



Zone Alarm stayed quiet.
Panda did not catch it.??


Opera is the one

 

I give up. Nobody is hearing me.

There is no download box.

When I was talking about the file download I was talking about the cached copy going into Temporary Internet Files. I found it odd how MyIE denied me access (an older version), yet still downloaded a cached copy.

Panda picked it up as an exploit, but no longer does.

 

I think you are right.

MyIE failed that test for me (latest version).

 

Dont give up on us yet I hear you and understand you loud and clear

 

I'm guessing those are industrial strength apps

I wonder if there are any apps that are available that can do the same.

Either that or I will need to switch browsers

 

Its spotty for me. No amount of money would make me use Mcaffee however.

Panda saw it as an exploit, as you can see from my screenshot, but no longer.

Not sure why it stopped working.

 

I went into my D-link setup and and enabled url filtering and added "%01" "%00" "@" then applied the settings

And it still opens the page.

Any ideas why it's not working?

 

[Morning, lads. Good to see that everything is all straightened out now, and everybody understands the full set of problems, and everybody has plans to deal with everything. Guess you've got everything covered.]


Adryn,

I'm betting that you didn't remember to completely empty the Cache of MyIE2 between versions, and the fact that the old, neutralized page record (html copy) is still IN there would mebbe keep a new copy from getting in --- for Panda to react to. (????)
"I installed an updated MyIE2 and panda has grown silent, even using IE."

Possibility? Don't they BOTH use TIFs as the Cache folder?

 

I thought that might be the case, and I deleted TIF.

Neither browser will cause Panda to panic, so to speak, even after doing that.

Maybe if I up the heuristic settings on Panda, hmm...

 

Hmmm.
<Goes for more coffee and thinks deep thoughts ...>

 

Panda still doesnt catch it.

I'm at a loss to whats going on.

I am going to reinstall Panda when I get home.