Re: IE URL obfuscation
From: Nick FitzGerald (nick_at_VIRUS-L.DEMON.CO.UK)
Date: Fri, 12 Dec 2003 09:01:42 +1300 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
> More than a few people have pointed out the potential ramifications of
> the %01 IE URL obfuscation issue. The most common concern is that
> because the bug allows an attacker to forge the information in the
> Address bar, attackers are going to use it to convince unsuspecting
> consumers to go to forged bank sites or other such sites the user
> There is clearly the potential for this, but I'm not sure people have
> fully thought this issue out.
> I'm asking these questions with the thought of requesting that Microsoft
> consider this an emergency issue.
Given that we are at the beginning of a traditional (at least in the
West) "silly season" this may be rather more urgent than you suggest...
> At this point I am not convinced that it is such an important issue that
> we need Microsoft to rush a patch out. However, given the concern
> expressed by subscribers, I'd like to offer some of my thoughts on the
> real risks, and then ask you to take a poll with them in mind.
> 1. Consider the premise that an attacker sets up a duplicate site for
> BankX. Emails are sent out to unsuspecting consumers in the hopes of
> hitting customers of BankX;
Sorry -- right now I do not have time to deal with your post with a
point-by-point commentary highlighting the flaws and important further
factors you missed at nearly every point, but I have time to briefly
comment that at several places you overlooked the how easy it is for
the smart scammer to overcome the "objections" you raise, using tricks
that are already somewhat to widely used by spammers and/or the
bank/online services scammers. Four points to consider:
1. It is _trivial_ to SE "enough" folk to make the approach cost-
effective. Suppose (unlikely) that the bank/online services scammers
use "expensive" spamming options such as "one-off posting to a spammers
entire several hundred million Email addresses list" and that costs
them perhaps US$20,000. What hit rate of folk with US$1,000 per
transaction (or per day, etc) limits on their accounts are needed to
cover the scammers costs?
If you don't believe me that it is trivial to get a sufficient hit
rate, you should talk a few of the large banks who have recently been
targetted by such scams. Many of these scams work precisely because of
the SE in the scam message, particularly the threat of loss of service
due to "improved security procedures unless you ...".
Or, consider the phenomenal ongoing success of Swen and Dumaru -- two
self-mailing viruses that SE themselves as important MS security
2. Ignoring that most "typical users" are now entirely accustomed to
utter gibberish URLS -- say, what exactly _is_ this:
a "locator" for? -- several of your complaints about the lack of
verisimilitude of URLs "forged" using this unprintable characters trick
ignore another of IE's cute URL display stupidities -- its truncation
on display of "overlong" URLs. To beat most of your "complaints" about
how this could not be particularly easily used because of other easy
methods of checking URLs, the scammer simply needs to stuff a few dozen
spaces immediately before the unprintable character that causes the
spoof to work well.
3. Many of the rest of your complaints about the lack of
verisimilitude of these URLs may be able to be overcome with the clever
use of such URLs in server-side redirects.
4. Your explanation of why this "won't work in real life" was based on
using a savvy user (yourself, in fact!) as the baseline. Of course
these scams won't work against you or me or (hopefully) any readers of
your list. If they did, whoever was taken in should not be doing the
job they are now. I'm much more concerned about folk such as my aged
parents, their friends and the many millions of less sophisticated
computer users who have been sold the lie that the age of "universal
computing" is here, it is now and it is the way of the immediate
If we had to worry each time we pushed a couple of slices of bread into
our toasters that some slimeball on the other side of the planet would
have untrammelled access to our bank accounts for the duration of the
toasting process, I suspect we'd all just eat bread (or at least find
other ways to may toast!) and the "toaster industry" would _DESERVEDLY_
fail. Computing on the scale and with the breadth of reach and impact
that we have inflicted on the unwary, and those who are largely not
sophisticated enough to know what questions to ask, is certainly
_nowhere near_ the same level of consumer readiness as the domestic
bench-top toaster. The lie that it is, is largely the responsibility
of Bill and Co. I think they should start accepting the very real
responsibility they have, personally, professionally and commercially
to fix this. Working on, and releasing ASAP, yet another fix for IE
would show that they _MAY_ be beginning to understand their role in all
this and that they _MAY_ be starting -- just starting -- to get a clue
what "Trustworthy computing" might really be all about.
Of course, it will screw their "no security updates in December"
marketing BS, but they'll still be able -- quite bogusly due to the
aggregation of patches and the suspected increased rate of patching non-
acknowledged bugs -- to claim that 2003 was a "better" year than 2002
because they had so many fewer security patches to release.
-- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ---- NTBugtraq subscribers save $103.00 off the TICSA exam by using promo code "NT1003" when registering to take the TICSA exam at www.2test.com. Prove to your employer and peers that you have the knowledge and abilities to be an active stakeholder in today's enterprise security. Become TICSA certified www.trusecure.com/ticsa. Promotion expires 12/31/03 and cannot be used in combination with other offers. ----