Sorry if this is not the proper forum, best I could see, but I thought many others would like to know about a patch for the serious URL spoofing problem affecting IE5-6, where it LOOKS like you are at one site when you are REALLY at another one, for those still using IE6 ;). In short, means that you could be giving vital info (credit card, etc.) to a hacker.

I have read, at least as of this time, MS has not addressed the problem yet (no patch released yet), but reading www. rootsecure.net, a site I read daily, there are some patches available.

Go here -

<mod edit - it has been reported that there is a trojan at this address.

The link was posted in good faith, but I suggest anyone who visited the link check their system out urgently>

for a test with your IE browswer (btw, Netscape 7.1, what I use, is not affected. It shows the spoof :) ) and for a place to download a patch. I tested it, and seems to work great for IE. The spoof is revealed.

If you are not familiar with what I am talking about, the site also explains the problem, and EVERY one who use IE 5-6 is affected!

Hope this helps someone.

Lando

I received the above info (about the IE patch) from one of a few security websites and at first was shown to be 'OK". Reputable sites too!

Well, I use The Cleaner from MooSoft, had an update and just happened to look at the new db. Found that the patch was listed, but was noted as an 'error', and that it would be fixed later (meaning an 'error' adding it to trojan db)

Welll, I decided to REALLY find out for sure, so I emailed MooSoft.

Heres the reply:
>>It (Openwares IE patch) is a trojan. The database has been corrected, thank you.

The "patch" installs spyware into you browser that reports all URLs that you
visit back to the Openwares site.

Daniel Otis-Vigil
MooSoft Development LLC
>>
OK so as far as MooSoft is concerned, DO NOT INSTALL!
Dang! I'm very sorry for any misleading info, but I read elsewhere that it was a good patch. Guess I will wait until Microsoft actually makes a patch!

Was just trying to help! :( Will be a lil more careful next time!

Why is this a problem?

Use Opera as your browser and stop worrying about IE exploits.

,dave

But in covering the 'Evil Empire' scenario in other threads, all that would happen is that if everyone used Opera then people would find exploits in that.

I don't think the issue of exploits in IE is usefully connected with 'use something else' ideas.

Personally - and I speak for the VAST majority of computer users - I use IE and would like to be able to fix any problems. Without switching to something else.

Better yet, what should we tell the general public when visiting our web sites?

How should we best inform them without more confusion?

How do we assure them that they aren't being "tricked" when visiting our web sites?

Aside from asking them to switch browsers, which may not be an option for many due to company policies or the user doesn't even know what a browser is, how do we inform them and still assure them that they are getting the real deal with our sites?

Thanks for the heads-up Lando!

Your'e welcome Coop! Even though it would had been a better heads up if I had just waited literally 10 minutes and found out about the prob.
Reading some security sites, it came out soon after I posted this first post (figures!)

Anyway, SOME claim (sorry, don't have the article in front of me right now) that the info sent back to the company is to help assist in confirming that the URL is a valid one. Why? Well, it doesn't go into details.

It SEEMS that the data feedback is not malicious, more like marketing spyware than anything, but that's what's the word on the Net. Supposedely there is going to be another one that is better, but I'm not gonna load it. Just updating for u.

By the way, Im a Netscape dude myself, but since many use IE, and sometimes I have to use IE 'cause a site doesn't like Netscape.

Again, sorry for the bad advice. Really haven't had this happen before, and hopefully not again! Thanks for the feedback.
Lando

Well, since we are on the subject of spoofing...

There are a number of things I do to help protect myself from spoofing. Note that I say "help protect myself", not "prevent".

When browsing a secure site, one thing that can be done is to double click the lock icon and view the site's certificate info. Since the certificate lives on the server itself, viewing the certificate may reveal if the site is being spoofed.

Also, one can check the domain name on the certificate with the one in the URL window. If they don't match IE will bring up a warning. However even if they do match, make sure that it is related to the site you are surfing.

Many sites use a third party to process their credit cards. In this case I might be surfing "www.SomeMerchantsSite.com" and be taken to "www.SomeProccessorsSite.com" to complete my order. I am very supicious of such activity especially when the original site never mentioned the redirection.

In any event Lando, you reminded me to run a windows update and see if anything new was out.

Clearly it would be safer to just wait until January for Microsoft to release their own patch. Why take the risk of downloading third party "patches" that turn out to be trojans. Only the ignorant would consider such a thing better than something directly from the manufacturer. Would you let Chevy fix your Ford vehicle?

The Martian

Come on, guys. No one likes to have it rammed down their throat when they commit a faux pas. Lando already said sorry for doing it, and he posted in good faith.

This is sorted now. Let's not continue with the clever personal adjectives and analogies, eh?

Clearly it would be safer to just wait until January for Microsoft to release their own patch. Why take the risk of downloading third party "patches" that turn out to be trojans. Only the ignorant would consider such a thing better than something directly from the manufacturer. Would you let Chevy fix your Ford vehicle?

Well if they can do it now and for free, maybe. If they put in Chevy parts that don't work with my Ford, then obviously no.
Microsoft has a way of taking too long to patch their software. If someone is willing to fix a problem and do it for free, why not take advantage of it. It's all about the trade-off. Personally I wouldn't use it if it has spyware in it. But then, I use Mozilla on a Mac. When I use my windows PC I use IE but that may be changing...

:o)

Please note: Warning downgraded :-) If you use McAfee AntiVirus program, you may recive a "virus" alert when visiting the "spoof" page below, about the following "viruses":

Exploit-URLSpoof
Exploit-URLSpoof[1]
This is just warning you that the links redirect you to somewhere other than address shown in your browser, which of course is what the links are supposed to do. You can safely ignore the warnings for these links only.

Additional note: If you're not running a firewall and real-time antivirus scanner, you should be and you should set them both for auto-update. The best recommendations for free ones are as follows:

ZoneAlarm Free Firewall (http://www.zonelabs.com)
AVAST Free AntiVirus Program (http://www.avast.com)
AVG Free AntiVirus Program (http://www.grisoft.com)

------------------

From the December 19, 2003, edition of TOURBUS - http://www.TOURBUS.com


According to Microsoft,

a malicious user could create a link to a deceptive (spoofed) Web site that displays the address, or URL, to a legitimate Web site in the Status bar, Address bar, and Title bar.
Why is this a bad thing? Well, InformationWeek warns that

This flaw would make it appear to Internet users that they're visiting a banking Web site, for example, when that site is actually a front for fraudsters attempting to collect sensitive financial information...
How can you tell if you're vulnerable? Just hop on over to http://netsquirrel.com/spoof/ and click on the microsoft.com link on that page. If Microsoft's website loads in your web browser, move along. There's nothing to see here. However, if the page that loads isn't Microsoft's but rather eBay's, you're completely vulnerable. And remember, this vulnerability doesn't just affect Internet Explorer, it also affects your copies of Microsoft Outlook and/or Outlook Express. Now for the REALLY bad news: There's no way to fix this problem. Yet. Should you panic? As I said, no! But, until Microsoft finds a fix, you should take the following precautions:

1. DON'T TRUST HYPERLINKS IN HTML-FORMATTED EMAIL MESSAGES (emails that display images and hyperlinks and look very much like web pages) even if those email messages are from your friends or family. This is especially true for hyperlinks in email messages from Amazon, AOL, eBay, PayPal, your bank, your credit card company, or any other company you normally do business with. If any web site, financial company, or commercial entity sends you an email asking you to click on a hyperlink in that email to update your account information, DO NOT CLICK ON THAT LINK. Because of Internet Explorer's URL spoofing vulnerability, you simply cannot trust hyperlinks in HTML-formatted emails to point to the correct URL.

2. BE SUSPICIOUS OF HYPERLINKS ON WEB PAGES YOU HAVE NEVER VISITED BEFORE. To be completely honest, the chance of you running into a spoofed URL on a web page is pretty slim, and the chance is all but zero on the big .com sites you visit every day. More likely than not, the criminals will be spoofing URLs in email messages, not on Web pages. But, if you are at a web page you have never visited before, exercise a little caution. If something feels wrong, leave.

3. THE BEST WAY TO AVOID BEING HIJACKED BY A SPOOFED URL IS TO MANUALLY TYPE THE URL USING INTERNET EXPLORER'S ADDRESS BAR. Remember, the spoof only affects hyperlinks in email messages and web pages, not addresses you manually key in to your Internet Explorer address bar. So, to be really safe, if you need to access your account information at Amazon, AOL, eBay, PayPal, your bank or financial institution, your credit card company, or any other company you normally do business with, manually enter the URL.

Some will also argue that this URL spoofing vulnerability is a perfect reason to abandon Windows/Internet Explorer/eating with utensils. That’s for you to decide. However, since my email inbox will explode if I don’t say this, the smarter and better looking people long ago abandoned Internet Explorer in favor of Mozilla, Safari, and Opera (among others.) These smarter and better looking people look upon Internet Explorer users with abject contempt, but they will happily welcome you back into the smart and pretty club once you regain your senses and adopt a different web browser and/or operating system.

By the way, does this URL spoof actually affect Mac and *nix users? Yes and no. If you click on the Microsoft link on http://www.netsquirrel.com/, you'll most likely be taken to eBay but the URL in your address bar will look funky. That’s good. It’s supposed to look funky. What’s different in Internet Explorer is that the spoofed URL *DOESN’T* look funky at all. And that’s bad.
From the website:

That spoofed Microsoft link you clicked on will take pretty much every browser on the planet -- Netscape, Opera, Mozilla, etc. -- not to microsoft.com but rather to ebay.com. That's NOT the problem. The problem is that while Netscape, Opera, and Mozilla all show you something's wrong with that spoofed Microsoft URL by displaying something funky in the adress or status bars like "http://www.microsoft.com
%00@ebay.com/" or "http://www.microsoft.com
", Internet Explorer gives you no "warning" whatsoever. Instead, Internet Explorer simply displays the WRONG URL in BOTH the address and status bars. THAT'S the problem... The problem isn't that the spoofed Microsoft link above redirects you to eBay [it redirects everyone, regardless of their browser] but rather that, in Internet Explorer, you have absolutely no idea or warning that you're being redirected in the first place.

Finally, Broadband Reports has done the best job of covering this vulnerability. You can find their latest update at http://www.dslreports.com/shownews/36402. My guess is that Microsoft will patch this vulnerability when they release their next batch of critical updates on January 14th. But I could be wrong. Until the patch is released, exercise a little caution and you should be fine.

Microsoft Security Article (http://www.microsoft.com/security/incident/spoof.asp)


the holiday shopping season is coinciding with a rise in Internet crime. One particularly disturbing trend involves an increase in fraudulent phisher websites. In a phishing scam, a malicious attacker sets up a convincing-looking spoof of a legitimate website, then tries to trick people into revealing personal information, such as credit card numbers. There are several easy steps you can take to help protect yourself from this and other types of attack...

Phishing is the act of luring someone to a spoofed website. One common method is to send an e-mail that looks like it came from a trusted source but that contains a link to a malicious site. The malicious site is designed to look like the legitimate site in an effort to trick you into revealing personal information or downloading a virus.

Spoofing Attacks
Spoofing attacks are commonly used in conjunction with phishing. The spoofed site is usually designed to look like the legitimate site, sometimes using components from the legitimate site. The best way to verify whether you are at a spoofed site is to verify the certificate. Keep in mind that there are several ways to get the address bar in a browser to display something other than the site you are on. Therefore, do not rely on the text in the address bar as an indication that you are at the site you think you are.

Always verify the security certificate issued to a site before submitting any personal information.

Before submitting any personal information, ensure that you are indeed on the website you intend to be on. In Microsoft® Internet Explorer, you can do this by checking the yellow lock icon on the status bar. This symbol signifies that the website uses encryption to help protect any sensitive personal information—credit card number, Social Security number, payment details—that you enter.

Secure site lock icon. If the lock is closed, then the site uses encryption. Double-click the lock icon to display the security certificate for the site. This certificate is proof of the identity for the site. When you check the certificate, the name following Issued to should match the site you think you are on. If the name differs, you may be on a spoofed site. If you are not sure whether a certificate is legitimate, do not enter any personal information. Play it safe and leave the website.

Also, be cautious about clicking links in e-mail messages or in online ads from retailers you don't recognize or trust. If you have any doubt about a link, do not click it. Instead, type the website address into the address bar of your Web browser, or try to confirm that the link is legitimate. Remember, if an offer sounds too good to be true, it probably is.