ทงบอลออนไลน์/แทงบอล/เครดิตฟรี/Sport777 เดิมพันกีฬาออนไลน์ที่ดีที่สุดในประเทศไทย

secniche

Home | About

Internet Explorer 8 : Anti Spoofing is a Myth

Broken Status Address Bar Link Integrity. (C) SecNiche Security Aditya K Sood

 

IE Versions – 7 /8 Beta 1 / Beta 2.

This issue is already in discussion with Microsoft. We are expecting more strategic views from the community. It would be great if

this issue is taken as a concern.

 

[1] IE8 Status Address Bar Discreet Behavior !

 

With the new features implemented in IE 8, the status address bar has been transformed too. The new step taken by

Microsoft IE team that is not to show the address of selected link in a status bar can have a serious impact. A user

will not be able to see the active link in the status bar. This looks like to be an implementation of security solution

with an obscurity. Status bar is required for Link Integrity check that assures a user about the legitimate website. We are

not considering the ingrained vulnerabilities of status address bar spoofing in browsers at this point of time. Browsers

like MOZILLA, Chrome etc are having well designed and effective status address bars. But this functionality has become

a myth in Internet Explorer (8). Some of the stringencies arising due to these enhancements are mentioned below:

 

1.On the design side ,it is not considered to be a good user centric design because instead of providing an ease to the

  users it creates an ambiguity. One can not predict the actual link while surfing.

 

2.The Visual Link Integrity is completely broken in the status bar.Because there are a number of browser status

  bar spoofing vulnerabilities , no integrity check can be imposed in relation to it.

 

[2] Microsoft View

There is another myth based on which we are not agreeing with Microsoft. Any link injected into a web page and viewed in the

browser,the status bar must show the same link whether the web page is online or offline. It does not have any relation with

the internet zones explicitly until unless certain conditions are met ( race condition problems , cross domain content etc).

It’s not about phishing filters and zone problems. There is a blog entry present at MSRC blog which is indicated below:

 

http://blogs.technet.com/msrc/archive/2006/10/31/information-on-address-bar-issue.aspx

 

When the issue is discussed with Microsoft,the response is something different. Well the giant considers it as Local Machine

Zone and Internet Zone. So what happens exactly is that the user can see the status of the link in the local zone but

not in the Internet Zone (online pages). It is really strange in its own context and the way it is implemented.

 

Is it possible that by changing the behavior of displaying of status bar, where one cannot see the actual link makes us more secure?

What is the guarantee that there will be no occurrence of spoofing in a status address bar? Well the answer seems to be compelling here.

On the contrary, it has raised more complications. If you can not see the link in a status bar, it is indirectly pointing to

the fact that it can be spoofed even without having a generic vulnerability.

 

[3] History of Status Bar and Address Bar Vulnerabilities in IE

 

We have already seen a number of status address bar spoofing vulnerabilities in the past. The exemplary factors that are used

to describe the address bar vulnerabilities are stated below:

 

3.1 The status address bar spoofing in POP Up Window that is generated through main browser window. This is possible due to

    the presence of certain special or wild characters. These can be [% ,%0A ,%00 etc]. You can check some of the codes here:

 

    http://www.milw0rm.com/exploits/7226

    http://www.milw0rm.com/exploits/2657

 

3.2 Other IE 6 Address bar Spoofing vulnerabilities based on DNS and other nbsp characters in the URL. These issues have

    been explained in a detailed manner in the below mentioned paper by Amit Klein.

    http://www.trusteer.com/address-bar-spoofing-attacks-against-microsoft-internet-explorer-6

 

3.3 Race condition problem due to ineffective loading of third party contents. This issue has been projected in one of the

    advisories released by secunia.

 

    http://secunia.com/advisories/19521/

 

3.4 Zone security bypass and Address bar problem. The issue has been released here:

 

    http://secunia.com/advisories/11830/

 

These are the standard issues noticed so far.

 

 

[4] Cross Check – Status Address Bar Spoofing Vulnerability

In order to cross check, a proof of concept is designed which is tested against IE8 status address bar spoofing in main

window. We are considering a unanimous behavior of IE such that pages viewed offline or online must have an appropriate status

bar with the same bahavior. There should not be a difference in functioning.

 

Note: The vulnerability is tested against the new builds of Chrome ,Mozilla, Safari and Opera. The response is the same

as expected whether a web page is  viewed offline or online. The links are getting interpreted appropriately. The IE6 shows

spoofing in the status bar effectively which indicates that it is vulnerable to spoofing attacks. The tests outline the

differential behavior of IE8. This proof of concept will prove that changing the behavior in the status address bar can not assure

a secure way of traversing the links. This proof of concept does not relate to pop up based window spoofing.

 

The script can be found here: IE8 Beta Inline Status Bar Spoofing Vulnerability Cross Test

 

We have used onMouseOver , window.status and onMouseOut events. This helps us to manipulate the status address bar in the main

window in IE and not in Pop Ups (by using location.href and window.open JS Calls).

 

Target Check :- Microsoft IE [ Beta]

 

Let’s see what is interpreted by Microsoft Internet Explorer:

 

 

 

 

Inference: The test has been conducted on local system. This indicates that IE 8 Status Address Bar is spoofed. The browser has to

show same the behavior, even when the web page is viewed online. But no link is shown in the status bar when the web page is viewed online.

The above stated fact proves that behind the bars , vulnerability persists. The victim has no clue of what is actually happening at back.

The above vulnerability can be summed up as a contradiction in the design of IE8 for not displaying links in the status address bar

when a user points to hyperlinks present in the web page. All the other browsers reflect the same behavior of status bar whether the

web page is viewed offline or online. This enhanced feature in IE will help easy redirection and spoofing attacks.You can not even

rescue phishing attacks too when certain conditions are made favorable.

 

Jolt: This vulnerability works perfectly fine in IE 6.

 

Note: We performed the same vulnerability test on Mozilla ,Google Chrome, Opera and Safari to scrutinize the functional behavior of

these browsers.

 

Target Check :- Google Chrome [Latest Build]

 

 

 

 

Inference: Test is failed. Links are interpreted in an appropriate manner.

 

Target Check :- Mozilla Firefox[Latest Build]

 

 

 

 

Inference: Test is failed. Links are interpreted in an appropriate manner.

 

Target Check :- Opera [Latest Build]

 

 

 

 

Inference: Test is failed. Links are interpreted in an appropriate manner.

 

Target Check :- Safari [Latest Build]

 

 

 

 

Inference: Test is failed. Links are interpreted in an appropriate manner.