Re: IE URL obfuscation

From: Nick FitzGerald (nick_at_VIRUS-L.DEMON.CO.UK)
Date: 12/11/03

  • Next message: Mark Burnett: "More on IE URL obfuscation"
    Date:         Fri, 12 Dec 2003 09:01:42 +1300

    Russ wrote:

    > More than a few people have pointed out the potential ramifications of
    > the %01 IE URL obfuscation issue. The most common concern is that
    > because the bug allows an attacker to forge the information in the
    > Address bar, attackers are going to use it to convince unsuspecting
    > consumers to go to forged bank sites or other such sites the user
    > trusts.
    > There is clearly the potential for this, but I'm not sure people have
    > fully thought this issue out.
    > I'm asking these questions with the thought of requesting that Microsoft
    > consider this an emergency issue.

    Given that we are at the beginning of a traditional (at least in the
    West) "silly season" this may be rather more urgent than you suggest...

    > At this point I am not convinced that it is such an important issue that
    > we need Microsoft to rush a patch out. However, given the concern
    > expressed by subscribers, I'd like to offer some of my thoughts on the
    > real risks, and then ask you to take a poll with them in mind.
    > 1. Consider the premise that an attacker sets up a duplicate site for
    > BankX. Emails are sent out to unsuspecting consumers in the hopes of
    > hitting customers of BankX;

    Sorry -- right now I do not have time to deal with your post with a
    point-by-point commentary highlighting the flaws and important further
    factors you missed at nearly every point, but I have time to briefly
    comment that at several places you overlooked the how easy it is for
    the smart scammer to overcome the "objections" you raise, using tricks
    that are already somewhat to widely used by spammers and/or the
    bank/online services scammers. Four points to consider:

    1. It is _trivial_ to SE "enough" folk to make the approach cost-
    effective. Suppose (unlikely) that the bank/online services scammers
    use "expensive" spamming options such as "one-off posting to a spammers
    entire several hundred million Email addresses list" and that costs
    them perhaps US$20,000. What hit rate of folk with US$1,000 per
    transaction (or per day, etc) limits on their accounts are needed to
    cover the scammers costs?

    If you don't believe me that it is trivial to get a sufficient hit
    rate, you should talk a few of the large banks who have recently been
    targetted by such scams. Many of these scams work precisely because of
    the SE in the scam message, particularly the threat of loss of service
    due to "improved security procedures unless you ...".

    Or, consider the phenomenal ongoing success of Swen and Dumaru -- two
    self-mailing viruses that SE themselves as important MS security

    2. Ignoring that most "typical users" are now entirely accustomed to
    utter gibberish URLS -- say, what exactly _is_ this:

    a "locator" for? -- several of your complaints about the lack of
    verisimilitude of URLs "forged" using this unprintable characters trick
    ignore another of IE's cute URL display stupidities -- its truncation
    on display of "overlong" URLs. To beat most of your "complaints" about
    how this could not be particularly easily used because of other easy
    methods of checking URLs, the scammer simply needs to stuff a few dozen
    spaces immediately before the unprintable character that causes the
    spoof to work well.

    3. Many of the rest of your complaints about the lack of
    verisimilitude of these URLs may be able to be overcome with the clever
    use of such URLs in server-side redirects.

    4. Your explanation of why this "won't work in real life" was based on
    using a savvy user (yourself, in fact!) as the baseline. Of course
    these scams won't work against you or me or (hopefully) any readers of
    your list. If they did, whoever was taken in should not be doing the
    job they are now. I'm much more concerned about folk such as my aged
    parents, their friends and the many millions of less sophisticated
    computer users who have been sold the lie that the age of "universal
    computing" is here, it is now and it is the way of the immediate

    If we had to worry each time we pushed a couple of slices of bread into
    our toasters that some slimeball on the other side of the planet would
    have untrammelled access to our bank accounts for the duration of the
    toasting process, I suspect we'd all just eat bread (or at least find
    other ways to may toast!) and the "toaster industry" would _DESERVEDLY_
    fail. Computing on the scale and with the breadth of reach and impact
    that we have inflicted on the unwary, and those who are largely not
    sophisticated enough to know what questions to ask, is certainly
    _nowhere near_ the same level of consumer readiness as the domestic
    bench-top toaster. The lie that it is, is largely the responsibility
    of Bill and Co. I think they should start accepting the very real
    responsibility they have, personally, professionally and commercially
    to fix this. Working on, and releasing ASAP, yet another fix for IE
    would show that they _MAY_ be beginning to understand their role in all
    this and that they _MAY_ be starting -- just starting -- to get a clue
    what "Trustworthy computing" might really be all about.

    Of course, it will screw their "no security updates in December"
    marketing BS, but they'll still be able -- quite bogusly due to the
    aggregation of patches and the suspected increased rate of patching non-
    acknowledged bugs -- to claim that 2003 was a "better" year than 2002
    because they had so many fewer security patches to release.

    Nick FitzGerald
    Computer Virus Consulting Ltd.
    Ph/FAX: +64 3 3529854
    NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
    code "NT1003" when registering to take the TICSA exam at
    Prove to your employer and peers that you have the knowledge and
    abilities to be an active stakeholder in today's enterprise security.
    Become TICSA certified  Promotion expires
    12/31/03 and cannot be used in combination with other offers.

  • Next message: Mark Burnett: "More on IE URL obfuscation"