New IE Security Exploit

Are you still using Internet Explorer? You should really consider switching. A security exploit was discovered recently that all IE users need to be made aware of. The trick uses a non-displaying character and a rarely used URL convention to trick you into thinking you are on one site when you are really at a different site.

Let me explain the URL part first. Ever been to a site where a window popped up first asking for your username and password? You can bypass that little window by typing your username and password before the URL. For instance, if your username is “joey” and your password is “heehaw”, you would type the URL like this:

bq. http://joey:heehaw@www.joeyday.com

You can do that even for sites that don’t have a password. It will simply be ignored by the website you are loading.

So, what’s the exploit? Well, when it comes to displaying URLs, IE seems to ignore everything after certain non-displaying characters. So, sticking a fake URL followed by a few non-displaying characters before the @ symbol causes the real URL to get cut off. The display problem appears in the status bar when you hover over the link, and in the address bar after you’ve loaded the link.

Example: Download the world’s best Internet browser

If you’re using IE, you’ll see “http://www.microsoft.com” in the status bar when you hover over the link, and that’s also what you’ll get in the address bar once you’ve arrived on the page. However, instead of Microsoft’s page, you should get a page where you can download Mozilla Firebird.

The implications are pretty obvious. Ever seen those little “Donate” links people put on their site that takes users to PayPal? Anyone could use a link like that to direct users to a fake PayPal page asking them to re-enter their personal information. Stop and think for a second, and you can probably come up with a number of additional ways someone could use this security vulnerability to their advantage.

It’s important to note that this exploit does work partially on Mozilla Firebird. When you hover over the link in Firebird, you’ll see the fake address in the status bar. However, status bar text is easy to change using simple JavaScript, so this isn’t as big of an issue. When you land on the page you’ll see the full URL, including the non-displaying characters. There’s already a patch available in the Bugzilla database (Bug #228176) that fixes the status bar glitch.

My guess is we’ll see a Windows Update in a few days that addresses the vulnerability in IE.