Tuesday, December 30, 2003

New IE Vulnerability

There is a new Vulnerability in Internet Explorer that everyone needs to know about it. I read about it in today edition of Windows Fanatics from the Lockergnome. What do you need to know? I'll let them do the explaining as they do it best:
Ken Colburn of Data Doctors answers Lawrence, who wonders:

Q: What exactly is this new Internet address problem and what do I need to
A: Newly discovered vulnerabilities that are 'critical' in nature are
nothing new for the world's most prolific software maker, Microsoft.
Virtually every program made by the giant in Redmond, Washington is the
target of Microsoft haters, hackers, crackers, security firms looking for
exposure, or script kiddies (hacker wannabes).
The most recent of at least 20 this year, however, is especially
troubling for a couple of reasons.

The first is that, because it involves the Internet Explorer browser, it affects about 90% of the Internet public. The second is that it plays on
the years of advice given to Internet users for determining whether they
are on a trusted Web site, opening the way for massive identity theft and
credit card fraud.
The vulnerability allows malicious coders to create Web sites that look
exactly like legitimate sites, credit card companies, or online
merchants, and 'spoof' the web addresses. When a user is at one of these sites and looks in the
address section of IE, it will appear as if they are at that company's

Everything from the https:// to the little yellow padlock at the bottom
of the 'secure' page can appear complete with the spoofed company's web
address or URL (Universal Resource Locator) in the proper places.
This means that you can no longer trust what you see in the address bar,
especially if you are clicking on a link from an e-mail message or from
another web site. The possibilities are endless and very dangerous for
the less technical Internet going public.
You can test your browser for this vulnerability by going to
The problem was discovered by someone who goes by the alias 'Zap the
Dingbat' that posted the alert on a security mailing list, which did not
give Microsoft an opportunity to create a fix for the problem before it
was made public.
As a courtesy, most security companies will give software vendors some
lead-time with a newly discovered vulnerability so that the company can
come up with a fix before the problem is made public.
As of this writing, Microsoft has yet to fix the problem,
however, an open source project that is located at Openwares.org has posted a patch.

Because of this latest method of tricking users into divulging personal
and financial information, it is important that you do not click on any
links in e-mail that supposedly come from your bank, eBay, PayPal,
Amazon.com or any online merchant or financial institution.
If you receive what you think is a legitimate e-mail message from one of
your financial or merchant Web sites, do not click on any link in the e-
mail, especially if it is asking you to update your information.
Always go to the company's Web site manually by opening your browser
yourself and typing in the actual address for the company. If the
information sent in the e-mail is legitimate, then you should be able to
access it through the companies Web site when you sign-in or login to your
If you want a more technical approach to detecting spoofed addresses and
links, I have posted Microsoft's recommendations at
Filed in:

No comments: