[Dshield] Re: list Digest, Vol 12, Issue 19

Kenneth Coney superc at visuallink.com
Mon Dec 15 18:48:58 GMT 2003


You are right.  I stand corrected on trivial details.  It wasn't exactly a 
decade ago.  It was back when a Netscape (James is right, it wasn't the 
Gold variant, I happened to be looking at a Netscape Gold disk when I was 
writing, it was a downloaded variant that preceded the Gold) option to IE 
on an early Win 95 package first became available and that company wasn't 
on the Nasdaq yet (neither was Yahoo), so I guess that was eight or nine 
years ago, instead of 10.  I guess I should have said octal years ago 
(what's the word for nine years ago?).  Didn't think of it, sorry.

I agree that if one Netscape 7.1 user is vulnerable, then all probably are. 
  The mere fact that in it's current incarnation my Netscape browser isn't 
vulnerable today means little if someone else with the same browser is 
impacted.  The variation could be something gross such as Win 98, versus XP 
Home or XP Pro, or it could be something subtle like an XP process switch 
being set to manual or disabled on one persons machine and left on 
automatic on the other person's machine.  Or, a registry key being 
different, or the presence or lack of a software package or a plugin.

I note with bemusement that Spamkill and Spamassassin initially disallowed 
the earlier post to Dshield because;
Content analysis details:   (5.5 points, 5.0 required)

  pts rule name              description
---- ---------------------- --------------------------------------------------
  2.4 HTTP_ESCAPED_HOST      URI: Uses %-escapes inside a URL's hostname
  3.1 USERPASS               URI: URL contains username and (optional) password

So at least one set of protectors is on the problem already.  This is not 
the first time MS has released a vulnerability for which there is no patch. 
   For some things there never will be a patch.  All of us are vulnerable 
and we remain vulnerable.  No one is bulletproof.  All we can do is stay 
current and try to install patches as they are released.   Clicking on 
links found in Spam mail of unknown origin isn't considered very smart 
anyway.   Wisest to use a trusted bookmark or type in the link.  Even then 
there is the issue of hijacked web pages.  Those who click a link, then go 
for coffee will miss the little "transferring to.." message on the bottom 
of the screen.


Subject: Re: [Dshield] MSFT Internet Explorer, %01 URL spoofing
From: "James C. Slora Jr." <Jim.Slora at phra.com>
Date: Sun, 14 Dec 2003 18:06:47 -0500
To: <list at dshield.org>

<snip>

Some Bugtraq members have reported Mozilla / Firebird and Opera as
vulnerable, others have reported these browsers as not vulnerable. We have
one person here saying that Netscape on Windows is vulnerable for them and
another who says it is not. There are inconsistencies from machine to
machine, and some people report inconsistencies on a single machine.

None of this testing seems to have been particularly scientific, but there
seems to be evidence that the bug goes beyond IE. "Dump your browser"
recommendations are probably not a cure-all for this problem.

But kudos to those who dumped IE for Netscape Gold "a decade ago" - two
years before IE existed, one year before the first Netscape release, three
years before Netscape Gold, and five years before IE was widely adopted.
Talk about foresight.
http://www.dejavu.org/
http://www.quirksmode.org/browsers/history.html

I have not seen any reports of non-Windows systems having problems, though.
Good news - only 99% of surfers are vulnerable (OK, 98% if half the non-IE
surfers are safe). Disclaimer: I made up these percentages but I don't think
they are too far from reality.

Beyond the phishing scenarios, the bug also helps browser hijackers, start
page trojans, search hijackers, etc by hiding the fact that the browser has
been compromised - without needing to modify the hosts file or DNS settings.
Telling users to "use your favorites to navigate" does not help them if
their favorites have been socially engineered. Same with search engines.

This gives the vulnerability commercial potential in the gray area inhabited
by adware and browser helpers, and pretty much guarantees that it will be
exploited in the wild on at least a moderate scale.

The bottom line is that there is very little mitigation we can do, and we
need a patch for affected browsers.






More information about the list mailing list