[Dshield] MSFT Internet Explorer, %01 URL spoofing

James C. Slora Jr. Jim.Slora at phra.com
Sun Dec 14 23:06:47 GMT 2003

> http://johannes.homepc.org/ievuln.html

In the second to last example, my IE6 shows the long string of %20
characters plainly in the address bar while visiting the fake pages (but
nothing after them), but hovering over the links displays only the fakebank

In the last example, I see the %001 in the address bar after the fakebank
URL, but only the fakebank while hovering.

All the other pages hide the URL successfully under the conditions listed in
Johannes' main test page.

Some Bugtraq members have reported Mozilla / Firebird and Opera as
vulnerable, others have reported these browsers as not vulnerable. We have
one person here saying that Netscape on Windows is vulnerable for them and
another who says it is not. There are inconsistencies from machine to
machine, and some people report inconsistencies on a single machine.

None of this testing seems to have been particularly scientific, but there
seems to be evidence that the bug goes beyond IE. "Dump your browser"
recommendations are probably not a cure-all for this problem.

But kudos to those who dumped IE for Netscape Gold "a decade ago" - two
years before IE existed, one year before the first Netscape release, three
years before Netscape Gold, and five years before IE was widely adopted.
Talk about foresight.

I have not seen any reports of non-Windows systems having problems, though.
Good news - only 99% of surfers are vulnerable (OK, 98% if half the non-IE
surfers are safe). Disclaimer: I made up these percentages but I don't think
they are too far from reality.

Beyond the phishing scenarios, the bug also helps browser hijackers, start
page trojans, search hijackers, etc by hiding the fact that the browser has
been compromised - without needing to modify the hosts file or DNS settings.
Telling users to "use your favorites to navigate" does not help them if
their favorites have been socially engineered. Same with search engines.

This gives the vulnerability commercial potential in the gray area inhabited
by adware and browser helpers, and pretty much guarantees that it will be
exploited in the wild on at least a moderate scale.

The bottom line is that there is very little mitigation we can do, and we
need a patch for affected browsers.

More information about the list mailing list