ZDNet UK


Skip to Main Content

  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Jobs
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


Become a ZDNet UK member

Comment Articles

Microsoft: Stuck between a rock and a hard patch?

Matt Loney ZDNet.co.uk

Published: 06 Feb 2004 16:50 GMT

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

We all like to blame Microsoft when things go wrong. Let's face it, there are few easier targets. But with the latest Internet debacle, concerning a patch for Internet Explorer, it is not quite so clear exactly where the blame should be placed.

The problem, of course, began with phishing emails - emails that purport to come from a reputable company and ask you to confirm your account details, but which actually have no affiliation with that company and are in fact distributed by criminals looking for gullible victims.

Since email headers are relatively easy to spoof, it's often difficult to tell that the email is a fake. But click on the link and things are different. Take this URL, for instance.

If you direct your unpatched Internet Explorer browser to this link, then you go to a page which, at the time of writing at least, looks like it is owned by eBay.com; indeed, even the top of the browser says you are at eBay.com. But even though there are plenty of 'ebay.com's littered throughout the URL bar, it's pretty obvious that this URL does not really point to eBay.

Now go to this page hosted at zapthedingbat.com and click on the button that says "Test Exploit" (don't worry, it won't do anything to your system). This time, you are taken to a page that, although it is a (deliberately) rather poor imitation of Microsoft.com, would, if its creator so desired, make it much more difficult to tell apart from the genuine Microsoft.com - or any other targeted site.

The trick (and this is no longer a secret since Danish security company Secunia posted details of the flaw just recently) is to use a URL that takes the form: http://username:password@mysite.com.

Usually, the browser uses whatever is to the right of the @ symbol to locate the Web page. Everything to the left of the @ is used to authenticate the user. But attackers can use the area to the left of the @ symbol to display a decoy Web address while actually transferring victims to a different page or site. Matters are made worse in Internet Explorer because by adding a couple of non-printing characters before the @ sign, an attacker can prevent the browser from displaying the true destination address of the URL. So, in the working example at zapthedingbat.com, the following URL is used: http://www.microsoft.com%01@zapthedingbat.com/security/ex01/vun2.htm

Add a little extra trickery, which zapthedingbat implements in that button, and the URL looks to all the world (including most people who would describe themselves as tech-savvy) as if it is microsoft.com.

Next

Previous

1 2


  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with Konica

Did you find this article useful?
37 out of 74 people found this useful


In association with Intel

Talkback

Post a comment


Full Talkback thread

8 comments

  1. Wow. It's a good thing I don't use Internet Explor... Anonymous
  2. Two "minor" notes: (1) RFC 1738 has been replaced... John J
  3. Well spotted. I had missed that latest RFC, and ha... Matt Loney
  4. Wow, good thing I'm not an idiot and don't fall fo... Melangell
  5. What is interesting is that IE on the other platfo... Anonymous
  6. As a previous responder has noted, this sort of ph... Anonymous
  7. Just a point to make to the techies who have repli... Andy Clark
  8. Just a point to make to the techies who have repli... Andy Clark

Related Links

Company/Topic Alerts

Create a new alert from the list below: