Internet Explorer 8 : Anti Spoofing is a Myth

Broken Status Address Bar Link Integrity.

(C) SecNiche Security Aditya K Sood

IE Versions - 7 /8 Beta 1 / Beta 2.
This issue is already in discussion with Microsoft. We are expecting more strategic views from the community. It would be great if
this issue is taken as a concern.
[1] IE8 Status Address Bar Discreet Behavior !
With the new features implemented in IE 8, the status address bar has been transformed too. The new step taken by Microsoft IE team that is not to show the address of selected link in a status bar can have a serious impact. A user will not be able to see the active link in the status bar. This looks like to be an implementation of security solution with an obscurity. Status bar is required for Link Integrity check that assures a user about the legitimate website. We are not considering the ingrained vulnerabilities of status address bar spoofing in browsers at this point of time. Browsers like MOZILLA, Chrome etc are having well designed and effective status address bars. But this functionality has become a myth in Internet Explorer (8). Some of the stringencies arising due to these enhancements are mentioned below: 1.On the design side ,it is not considered to be a good user centric design because instead of providing an ease to the users it creates an ambiguity. One can not predict the actual link while surfing. 2.The Visual Link Integrity is completely broken in the status bar.Because there are a number of browser status bar spoofing vulnerabilities , no integrity check can be imposed in relation to it. [2] Microsoft View There is another myth based on which we are not agreeing with Microsoft. Any link injected into a web page and viewed in the browser,the status bar must show the same link whether the web page is online or offline. It does not have any relation with the internet zones explicitly until unless certain conditions are met ( race condition problems , cross domain content etc). Itís not about phishing filters and zone problems. There is a blog entry present at MSRC blog which is indicated below: When the issue is discussed with Microsoft,the response is something different. Well the giant considers it as Local Machine Zone and Internet Zone. So what happens exactly is that the user can see the status of the link in the local zone but not in the Internet Zone (online pages). It is really strange in its own context and the way it is implemented. Is it possible that by changing the behavior of displaying of status bar, where one cannot see the actual link makes us more secure? What is the guarantee that there will be no occurrence of spoofing in a status address bar? Well the answer seems to be compelling here. On the contrary, it has raised more complications. If you can not see the link in a status bar, it is indirectly pointing to the fact that it can be spoofed even without having a generic vulnerability. [3] History of Status Bar and Address Bar Vulnerabilities in IE We have already seen a number of status address bar spoofing vulnerabilities in the past. The exemplary factors that are used to describe the address bar vulnerabilities are stated below: 3.1 The status address bar spoofing in POP Up Window that is generated through main browser window. This is possible due to the presence of certain special or wild characters. These can be [% ,%0A ,%00 etc]. You can check some of the codes here: 3.2 Other IE 6 Address bar Spoofing vulnerabilities based on DNS and other nbsp characters in the URL. These issues have been explained in a detailed manner in the below mentioned paper by Amit Klein. 3.3 Race condition problem due to ineffective loading of third party contents. This issue has been projected in one of the advisories released by secunia. 3.4 Zone security bypass and Address bar problem. The issue has been released here: These are the standard issues noticed so far. [4] Cross Check - Status Address Bar Spoofing Vulnerability In order to cross check, a proof of concept is designed which is tested against IE8 status address bar spoofing in main window. We are considering a unanimous behavior of IE such that pages viewed offline or online must have an appropriate status bar with the same bahavior. There should not be a difference in functioning. Note: The vulnerability is tested against the new builds of Chrome ,Mozilla, Safari and Opera. The response is the same as expected whether a web page is viewed offline or online. The links are getting interpreted appropriately. The IE6 shows spoofing in the status bar effectively which indicates that it is vulnerable to spoofing attacks. The tests outline the differential behavior of IE8. This proof of concept will prove that changing the behavior in the status address bar can not assure a secure way of traversing the links. This proof of concept does not relate to pop up based window spoofing. The script can be found here: IE8 Beta Inline Status Bar Spoofing Vulnerability Cross Test We have used onMouseOver , window.status and onMouseOut events. This helps us to manipulate the status address bar in the main window in IE and not in Pop Ups (by using location.href and JS Calls). Target Check :- Microsoft IE [ Beta] Let's see what is interpreted by Microsoft Internet Explorer:
Inference: The test has been conducted on local system. This indicates that IE 8 Status Address Bar is spoofed. The browser has to show same the behavior, even when the web page is viewed online. But no link is shown in the status bar when the web page is viewed online. The above stated fact proves that behind the bars , vulnerability persists. The victim has no clue of what is actually happening at back. The above vulnerability can be summed up as a contradiction in the design of IE8 for not displaying links in the status address bar when a user points to hyperlinks present in the web page. All the other browsers reflect the same behavior of status bar whether the web page is viewed offline or online. This enhanced feature in IE will help easy redirection and spoofing attacks.You can not even rescue phishing attacks too when certain conditions are made favorable. Jolt: This vulnerability works perfectly fine in IE 6. Note: We performed the same vulnerability test on Mozilla ,Google Chrome, Opera and Safari to scrutinize the functional behavior of these browsers. Target Check :- Google Chrome [Latest Build]
Inference: Test is failed. Links are interpreted in an appropriate manner. Target Check :- Mozilla Firefox[Latest Build]
Inference: Test is failed. Links are interpreted in an appropriate manner. Target Check :- Opera [Latest Build]
Inference: Test is failed. Links are interpreted in an appropriate manner. Target Check :- Safari [Latest Build]
Inference: Test is failed. Links are interpreted in an appropriate manner.
Conclusion: It has been made clear that Microsoft solution for status address bar vulnerabilities is not an appropriate one. No link display in the status address bar while surfing online pages is not a good design element. The above presented proof of conept explains this part clearly. Better solution is expected from the vendor.