Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Internet Explorer 7 Popup Address Bar Spoofing Weakness reported by Secunia

October 25th 2006 in Uncategorized

http://secunia.com/advisories/22542/

"The problem is that it's possible to display a popup with a somewhat spoofed address bar where a number of special characters have been appended to the URL. This makes it possible to only display a part of the address bar, which may trick users into performing certain unintended actions."

"Somewhat spoofed" is a fairly good description. 

I've not had a chance to have a comprehensive look at this but note after a quick once over that the spoof only seems to work while the addressbar is highlighted.  As soon as you click anywhere in the screen the real address appears.  Not only that the addressbar itself is highlighted, which is unusual during normal Web browsing.

Edit: It has been noted that Secunia's proof of concept does not work if IE7 is set to open pop-ups in a new tab, and that the proof of concept only works in the exact, specific sized window that Secunia used when they displayed the result of the 'weakness'.

Richard G. Harper, MVP comments:

"You could get it to work with a different size window but you'd have to re-calculate the invisible/spacer characters to make it work, and then it would be tied to THAT size window and no other.

There's no way to make it scalable – no way to make it so that it would properly obscure in a randomly-sized window, or a re-sized window. You can't even make it work in a maximized window since there's no hiding-space available there. A maximized window makes it very plain what the trick is."

I've emphasised the above text in bold and underline because it is very important.  Imagine, if you will, that you've gone to a fake site and have just clicked in a form field to enter data… your address bar, which has been highlighted, blinks and suddenly displays a different address – people are going to notice that.  They're also going to notice that what they think is their bank's Web site is only appearing in a little window, that can't be resized… I'm sure the vast majority of people will see all of the above as just too weird.

One thing that also occurs to me, which I haven't played with, is to wonder what effect different screen resolutions will have.

A special note to those who are yelling that the sky is falling and that IE7 should be blocked because of the above "weakness"

Wake up to yourselves.  IE7 has been immune to virtually every *real* exploit that has been released – exploits that are actually being used in the wild to compromise systems, and are therefore a real danger to Web surfers.  Any security advisor who recommended that IE7 be blocked on the basis of this address bar weakness, or the other reported IE7 vulnerability (which is not being exploited, and has not been exploited, despite being public since April and which says something in and of itself) would not last very long on any security team in which I had a say.

Professionals are meant to balance risk against reward, and not base their decisions on a pre-existent bias, whether it be their own bias or anothers.

The Microsoft Security Response team have also blogged about this 'weakness':
http://blogs.technet.com/msrc/archive/2006/10/26/ie-address-bar-issue.aspx

SANS have seen fit to bump the description up from a "weakness" to a "vulnerability" for who knows what reason.
http://www.incidents.org/diary.php?storyid=1804

SANS's idea of "to work quite well" and my idea of "to work quite well" do not correlate.

As much as I dislike the fact that SANS have seen fit to call this *weakness* a *vulnerability*, in their credit they have said:

"We received a lot of reports from our readers suggesting that Firefox and some other browsers are vulnerable to this exploit as well.

In case of this vulnerability, it is not easy to say if a browser is vulnerable or not – we're not talking about exploiting a remote execution so it either works or it doesn't work. In this case, an attacker is actually trying to make the user believe that he's on a different site, and that can be, unfortunately, done using this vulnerability **on almost all browsers**."

You will note from the Opera and Firefox screenshots on the SANS site that Firefox does not show an addressbar at all.  Opera displays a small section of text.

When we compare the behaviour of IE7 to Firefox and Opera (see SANS screenshots) it can be said that IE7 is actually *safer* than Firefox and Opera.  Why?  Because:

1)  The addressbar is *highlighted* in IE7 when the window first opens – unusual in itself.

2)  The addressbar highlighting *turns off* (the addressbar flashes) and the address that is displayed changes as soon as you click anywhere on the page being displayed.  A visitor will instinctively look at the addressbar as soon as that happens to see what just changed – a visual cue that both Firefox and Opera lack.

3)  If the size of the pop-up window is changed in IE7, the weakness is immediately exposed.

Exploit window as it originally appears:

Exploit window after clicking anywhere on the page – note how the entire URL is displayed.


4 comments to...
“Internet Explorer 7 Popup Address Bar Spoofing Weakness reported by Secunia”

Sonic

If you let the pop-up always open in a new tab, you will find exploit does not exist.

Sandi says: Thanks Sonic. I've only had the opportunity to have the briefest look at the 'weakness'. It will be interesting to have a closer look later and confirm what you've said here [:)]



alunj

This is _such_ a weak flaw – is this really the worst Secunia could throw at IE 7?  Mind you, it's nice to hear that Firefox 2.0 is 'vulnerable' to it, too (if that's the word).

Sandi says:  Is FF2 vulnerable? The pop-up, at least for me, did not have an addressbar when using FF2, therefore no spoofed addressbar weakness.

It is kind of cool that some areas of the press are *so* determined to pick apart IE7, yet this is the best they can find. 



alunj

Sorry for the FF thing – I had been told it was vunnerable, but when I went to test it myself, I couldn't turn on the address bar in the popup windows. Uhh… that means FF doesn't have even the basic protection of telling you what site you're looking at in a popup, so if you were going to be phished by this popup in IE7, you'll definitely be phished by it in FF2. I don't think that counts as a win for Firefox.

Sandi:  Even more than that, IE7 can be said to be safer than FF or Opera when we look at the demonstration windows added to the SANS page.  I've just added this to my original article, but will repeat it here:

When we compare the behaviour of IE7 to Firefox and Opera (see SANS screenshots) it can be said that IE7 is actually *safer* than Firefox and Opera.  Why?  Because:

1)  The addressbar is *highlighted* in IE7 when the window first opens – unusual in itself.

2)  The addressbar highlighting *turns off* (the addressbar flashes) and the address that is displayed changes as soon as you click anywhere on the page being displayed.  A visitor will instinctively look at the addressbar as soon as that happens to see what just changed – a visual cue that both Firefox and Opera lack.

3)  If the size of the pop-up window is changed in IE7, the weakness is immediately exposed.



νικος κανακας

Hi

It is  a great post and I am also observed that the problem is in this function.Internet explorer  7 popup address bar spoofing weakness is right and I searched  it.


…to congratulate them on the release of Firefox 2:http://fredericiana.com/2006/10/24/from-redmond-with-love/Blake Ross was also gracious in congratulating the IE team on the release of IE7 (no mention of a cake though) [;)]Ok, so he did mention the cake in his FF2 announcement  [<:o)]Tony has blogged as well:http://www.tonychor.com/archive/000496.htmlI love his comment "Sometimes, a cigar is just a cigar. […]

Previous Entry

My RSS feeds alerted me today to the fact that a new article had gone live on bink.nu reporting that Scott Richter has agreed to pay Microsoft UK$7 million – but… that news sure does look familiar.http://bink.nu/Article8625.binkEdit: Hm, the above URL won't load ATM – did Bink.nu delete the article? 8624 is still there…Huh? Neowin […]

Next Entry

Archives