Huge Internet Explorer security bug

Kent Brewster points out a recently discovered security bug in Internet Explorer (worse on Windows than on Mac, but still a minor issue on Mac). This bug makes it pretty much impossible to know what site you're really looking at if you use IE6 on Windows. I'm not exaggerating. I'll try to present a nontechnical overview of this, and then point to some examples, and then to some further reading for more technical info.

The gist of the problem is that a malicious person can extremely easily provide a URL (the URL of a link, for example, or in an email) that looks like it goes to one place but actually goes somewhere else, and in IE for Windows there's almost no way for the IE user (even a technically sophisticated IE user) to see where the link actually goes ahead of time, or where it's actually taken the user after they click the link. For example, someone could provide a link where the URL looks in every way like a link to PayPal, but actually goes to a fake PayPal login page.

The upshot is that if you use IE6 on Windows (and maybe earlier versions too, I'm not sure), you can no longer tell with any degree of certainty what site you're looking at any given time.

Kent's example page is the clearest example I've seen. Go take a look at it. If you're using an affected browser, then when you point at his "Fake PayPal Login Screen" link, the URL in the status bar appears as "http://www.paypal.com". If you click the link, the URL text box at the top of the browser also shows that URL. But in fact, what you're looking at is a fake PayPal login screen that Kent threw together pretty easily. If Kent were malicious, he could use this to collect people's PayPal passwords, and the IE users would never know they'd been tricked.

On IE/Mac, the problem isn't nearly as bad. The status bar shows the fake PayPal URL when you point to the link, but after you follow the link the real URL appears in the Address area.

The only way that I know of to tell whether a given link is real or not (in IE/Win) is to look at the HTML source code for the page before following a link. Every time.

So if you use IE, especially if you use it for financial transactions, you may want to consider switching to another browser, at least until this bug is fixed. Don't uninstall IE; the bug doesn't affect anything on your computer. There's some discussion of non-IE browsers on the Rumor Mill; see particularly message #78. You may want to consider downloading Mozilla or Firebird for free from the Mozilla site, or buying Opera.

Non-IE browsers are not affected; the URL doesn't look like a real PayPal URL in other browsers. If you're not using IE, you don't need to worry about this. But if you know people who are using IE, especially for financial transactions, you should probably let them know about this.

Microsoft has said that they'll look into the issue and, if they consider it appropriate, will release a fix for it. I saw something that indicated that their next official patch release won't be 'til mid-January; hard to say whether they'll see this as important enough to issue a patch sooner. They certainly ought to; in my opinion, this is one of the biggest and most easily-exploited security bugs I've ever seen.

For some info on how it works, see part of the Slashdot thread, or the original advisory from Secunia. Secunia also provides an example/test page to illustrate the problem, though not as dramatically as Kent's.

8 Responses to “Huge Internet Explorer security bug”

  1. Vardibidian

    Although this is clearly Very Bad, it does not mean that everybody needs to instantly stop using IE altogether. The number of times I ever click through a site written by somebody I don’t trust and then put any password info is very low.
    For a store I already use, either I’m going to my ‘Cool Stuff’ shortcut in my favorites, or I type in http://www.allthecoolstuffIeverwant.com and proceed from there. This bug doesn’t affect that at all. If I’m really searching for something new, googling it (or other searches), won’t likely to take me to a phony URL, and if it does, I’m not going to type in any financial info at the first two, or three, or likely twenty pages of the site anyway, and then the odds that somebody has set up a phony-url scam that good are about the same as the whole store being a scam in the first place.

    The possibility for fraud is if you click on a paypal or similar link on a site maintained by somebody you don’t trust. OK, don’t do that. Did I anyway?

    …Hm. I suppose it would be easier to spoof out from a blog. I’m not sure I would care, much. I don’t mean to defend the hijjus programming, but neither is it really a reason to Never Use IE Again.

    Thanks,
    -V.

  2. Jed

    Point taken, but I put the ease of falling for this a lot higher than you do.

    First of all, it works in email. There’s already an egregious industry of PayPal and eBay scams by email that fool people into thinking that a fake site is really PayPal or eBay; that’s just gotten a lot easier to do, because it’s now a lot harder to tell that the site you’ve gone to isn’t real.

    Second, it’s not just blogs; lots of people have (for example) PayPal buttons on their sites that let you send them money. If you ever use those (and I do), you now pretty much have to stop (until the bug is fixed), if you use IE on Windows. (Yes, unless you completely trust the person. But there are lots of people online who I’m willing to send money to but whom I don’t know well enough to be willing to bet that they’re not fronting for a password-collection scam. Before, it was easy to tell whether they were doing that; now it’s not, if you use IE.) Remember, too, that it would be possible to do this for a while without being caught (’cause after they harvest your password, they can give you a “Sorry, you must have mistyped that, please try again” message and then redirect you to the real site), so it’s not too implausible that people might unknowingly link to a page that’s done it.

    It’s true that if you type the URL of a trusted institution into your address bar by hand, and if you’re certain you didn’t misspell it (’cause now it’s possible to buy a domain with a similar name to an existing one, and do a redirect that makes it look like you’ve come to the right place), then you’re okay. But you now have to stop and think about it—am I certain that I got to this URL via a trusted source?

    At best, it adds a level of difficulty and uncertainty to formerly secure transactions.

    Chances are pretty good that MS will fix the problem soon. But in the mean time, I think people are better off either not using IE at all, or being extremely careful if they do.

  3. Vardibidian

    When you say it works via email – only in web-based email, or in Outlook? Just curious.

    Anyway, I agree that people should be careful, but not much more careful than they should always be. My bookmarks still work; my address bar still will take me to an address I type in. If I think the site I bookmarked is a spoof, I’ll check the properties of the shortcut, and it’ll have the URL (the actual one); if it looks hinky, I won’t trust it.
    If I think a site may be a spoof, or I think I was sent there in error, I won’t log in. I won’t send money to anyone I don’t trust to keep my credit card information as confidential as the other people to whom I’ve already sent my credit card info. I won’t assume that a site that looks like a worthwhile charity is actually one, or that the Daily Blog actually needs my support. None of this changes.
    Look, everyone I’ve given more than about $20 to in the last five years either has my bank account number or my credit card number. Not just the on-line people; the restaurants, the bookstores, the utilities. And it’s not like the busboy at the restaurant, the woman that opens the mail at the phone company, or the teenager at the bookstore has had extensive background checks.
    If you are not comfortable with using IE with this newly-discovered horror, I don’t blame you. It’s pretty bad, and I admit to being, in my grouchy way, shocked. The thing that tells you where you are should tell you where you are. But the number of people who will actually lose money because other people take unscrupulous advantage of this will be pretty small.
    Unless I’m wrong. Which I often am. So, you know, take it as you will. For a while, anyway, I’ll keep using IE, which I have grown to quite like as a program (mostly through not actually using any others for years and years), and I’ll try to keep track of the number of times the bug even crosses my mind.
    Now, don’t get me started about Microsoft screwing those of us still using Windows 98. That makes me mad.

    Thanks,
    -V.

  4. Dan Percival

    Another reason why this could be a Bad Thing, apart from password-collection scams: a fair number of the IE holes that get reported involve things that can be done to you (such as gain read-write access to your hard drive) when you visit a malicious page. Spoofing the address of the page you’re about to click on makes it somewhat easier for someone to direct you to that malicious page. Maybe not that much easier, if you only click through from sites that you trust, but that does tend to limit the scope of one’s web browsing.

  5. Jed

    V.: This issue affects email in any email software that handles HTML, which includes almost all non-text-only email apps these days (yes, including Outlook). If an email message you receive has a link in it, and you click that link, you used to be able to look at the address bar to find out what site you were on; you can no longer tell that. And remember that it’s easy to fake the return address on email.

    As for payments, using PayPal means not having to give the recipient of the money your credit card number, bank account number, or any other private info. It’s like sending them cash online. That’s one of the cool things about PayPal—you really don’t have to trust the recipient of the money very much. Only now you do, if you use IE.

    And several of your comments rely on “if I think X is a spoof”; the key factor that makes this bug unusual is that there are no clues at all that it’s a spoof. (And for typing in URLs, remember what I said about typos.)

    Note, too, that this is very useful for setting up fake information sites. Want to convince people that Howard Dean is a babykiller? Link in your blog to a fake Dean campaign homepage (that appears to have the URL of the real thing) in which he admits to killing babies. Okay, so maybe nobody knows what Dean’s homepage URL is so that isn’t such a big deal? So instead link to what appears to be whitehouse.gov, or CNN.com, and post a note on the fake site indicating that Bush kills babies. Sure, you can achieve similar effects by pointing to, say, whitehouse.org, but if the link to that site doesn’t use the IE trick, then someone who’s paying attention to the URL can figure out that it’s a fake site.

    So the real point of all of this is that this bug makes it much easier for someone unscrupulous to do Bad Things. I’m certainly not saying You Will Lose All Your Money If You Use IE; I’m just saying (to go a bit beyond what I said before) that this adds a potential level of untrustworthiness to the web at large.

  6. Vardibidian

    To respond (now, I know, I’m just being stubborn, but once in the argument, I tend to keep battling) to Jed’s points:

    How do I know that http://www.nytimes.com is actually a good site for news? Because I’ve gone there a lot and found their news to be consistent with other sites. Yes, the fact that they are more or less run by the New York Times (sort of) is a factor, but if I went there twice and wasn’t impressed, I would stop going. My opinion that http://www.whitehouse.gov is a good site for getting White House information is not based on their having an appropriate URL or an official-looking seal gif, but on my experience of the page. I agree, an unscrupulous person could well use this to trick a person into, say, briefly believing something that wasn’t true, but if you are going to believe anything because a single source said it, you are too gullible for my tastes to begin with. And you aren’t, Jed, as I happen to know.

    As for the mis-typing a URL business, what you are describing is that I could type http://www.nyrimes.com and that site would have been purchased by some unscrupulous person, who is spoofing the NYT site, and when I check the address bar, it will tell me I’m at the real site. OK, this is obviously bad; it should be fixed. However, it’s not clear that (a) somebody will actually do it, and (b) that it would be done so well that I would be unable to detect the spoof on a cursory glance, and finally that (c) even if I were hoaxed on something briefly, it would be a serious problem. I mean, however I get there, if I go to the NYT site, and it tells me that the Moon Men have landed, I might well shout about it, and only later admit that I was spoofed. I will be out a percentage of my remaining creditability, and later, many computer geeks will think it was funny. That humor ain’t to my taste, but it isn’t a pint of my blood, either.

    As for Dan’s point, which certainly hadn’t occurred to me, it is a problem, but only slightly more of a problem than the existence of the other IE holes in the first place. The malicious pages are, presumably, out there, and the added vulnerability of the masked-URL presumes that somebody is paying enough attention not to click on links to http://www.nyrimes.com in the first place.

    Perhaps the thing for me to do is to clock my own use, and see how often I really do expose myself to that kind of spoofing. I don’t think I do more than once a week or so, which makes this vulnerability a very low level, compared to the million other vulnerabilities I have. For instance, it turns out that the Special Company Discount Price on printer paper we were offered by a big office supply chain is actually more than two and a half times the shop floor price. I’m being ripped off without even getting on-line.

    R.I.,
    -V.

  7. chance

    My problem with Microsoft’s lacadaisical attitude to fixing something like this is not me, but people like my parents. They just aren’t tech savvy, so the idea that a link is saying it is one site and going someplace else isn’t going to occur to them. Luckily I had them using netscape right from the first which doesn’t have this vulnerability.

    (My mom said to me once “How could this file have a virus? I got it from someone I know, they would never do anything like that.”)

    Yeah, if they get scammed it’s their own fault, on a level,but there are a lot of people like out there surfing the net in a state of semi-innocence/ignorance. So why does microsoft have to make it that much easier for the scammers?

    About once a week I get a fake email saying it is from Earthlink and that my payment for the month didn’t go through. For a laff I clicked on it, and worse than asking just for credit card info – it says they are offering a discount if you pay direct through a bank account. Who doesn’t love to get something for cheap? *shudders*

    And you know what – the first email I got, for about half a second I was tempted to click on it before common sense kicked in and I said “this is a scam.”

    But it looked really good.

  8. Jed

    Since this issue is long since resolved, and since this entry gets a lot of spam, I’m closing comments for this entry.

Comments are closed.