latest IE URL spoofing vulnerability

Hi all...

This is my first time here, though I'm active in 4 other forums.

As the last post on IE flaws seems to be dated in October (?), and having scoured the site, it seemed like the right place (and time) to post this little tidbit I stumbled upon tonight, trying to get a fix for the latest IE URL spoofing vulnerability (not yet patched by MS in December). I thought it wise to let you in on this little temporary and working(!) patch from http://security.openwares.org/

BTW, this is FRESH (dated Dec. 20th)

There are 2 exploit test buttons (for before and after the patch is applied) located here : http://security.openwares.org/

You won't need 2 aspirins to feel better in the morning ! It works right away...

Regards to all, Phil

 

Hi PhilThe Pill
Welcome to wilders.

This thread looks like it is related

http://www.wilderssecurity.com/showthread.php?t=18091;start=msg112349#msg112349





snowbound

 

From the same link above, this :

And this :

It was submitted on the 20th, but updated on the 28th.

...in regards to the post you mention, I guess I didn't look hard enough...

Oh well...

 

I tried to go to the link in the first post but my mcafee virusscan won't allow me to open the page it says it has the exploit url spoof virus on the site so I guess I didn't need to see it anyway since I never, never, open internet explorer anyway.

 

Hi bigc73542,

Looked to me like that virus warning said the infected file name was Opera and that it needed to be deleted............so!

 

Oh no no. The virus name is in the following screen shot. THe virus was in the opera cache. And was deleted.

 

Just kidding you know. Maybe I needed more of these

 

i think it must have been the google eyes on the first reply,It threw me off

 

OK, now back to being serious for a minute. On that site they do have a couple of test exploits for the url spoofing vulnerability. I assume that is what McAfee is alarming on(NOD32 doesn't even blink). I did not go running around the site trying to see if anything else was incognito.

Was just curious if anyone else was getting an alert on that site. Wouldn't think the board management would allow the link to remain if there was a serious risk there. Maybe it all boils down to which antivirus programmers have added support to their products for the spoofing vulnerability. Not sure, but I think NAV did. If that is the case here, it would be nice to know someone was watching over my shoulder in case I get careless. Anyone else curious?

Oh and by the way, I am not necessarily saying it is the antivirus community's responsibility here. I used that as an example simply because it was an antivirus alert that got my attention here in the first place.

 

I won't try to say mcafee is infalable but I have used it for a long time and it doesn't false alarm hardly ever. Not to say that it didn't on this ocassion but it would be out of the ordinary for it to do so. I probably in the last four years that I have used mcafee almost exclusively have not gotten over four false positives. But you never know.

 

Well, maybe I am way out in left field here, because I am certainly no expert on what is actually happening. If McAfee is alarming on an actual virus that is on that site looking to infect someone by using the spoofing exploit, that is a whole different can of worms here. And if that is so, I just got a whole lot more concerned about the fact that NOD32 slept through the whole thing when I went there.

I was thinking more along the lines that McAfee was warning about an actual spoofed URL, which is what the test exploit there is doing by pretending to send you to a Windows Update site, when it actually goes to openwares.org(66.226.81.182). If that is the case, then I don't think that is a false alarm at all by McAfee. Possibly overkill calling it a virus, but not a false alarm.

Seems to me that the possibilities here are:
1. There is an actual virus that I am feeling particularly unprotected against.
2. It is a false alarm on something McAfee perceived to be an actual virus.
3. It is a true warning about an exploit, using rather strong terminology to identify the exploit.
3a. Terminology could be intentional to make people notice.

Your thoughts(or anyone's, for that matter) would be appreciated.

 

VV - I'm certain that NOD's not reporting anything because there isn't anything to report.

I cleared all my logs in OutPost and SpyBlocker and went to both test pages - nothing logged (had NOD32 running, of course and TDS-3).

What I'm not clear about is whether you've got the Openware patch installed or not - do you? I have it installed and it works fine.

I can't find anything on the McAfee site about the exploit being covered, can you? I don't use McAfee, so I probably don't have the same access to everything that you do.

I'll take "c". Pete

 

Hi spy1,

No, I do not have the patch installed from Openware. I know that with the last version all of the "bugs" are supposed to be fixed, but considering my surfing habits, I really haven't been too concerned about the vulnerability yet. Was kind of waiting for Microsoft to address this, although I can't give you a good reason to have more faith in them. The only thing I was wondering about, actually, is if there is a real virus on that page and NOD isn't catching it.

I don't have McAfee either, so I don't have access to anything you don't have access to. It was the alert that bigc73542 is getting that got my attention.

Symantec added a detection on 12/31/03 that they identified as URLSpoof.Exploit(Category1).

URLSpoof.Exploit is a detection for HTML code contained within a Web page that displays as URL of a legitimate Web site.
Also Known As: Exploit-URLSpoof [McAfee]

So obviously, McAfee has detection for the same thing. What is about clear as mud to me is the "HTML code contained" part of that. Does that mean they are identifying actual malicious code(as in, gonna do something bad to me right now), or simply a spoofed url with the POTENTIAL to do something bad if I click the wrong thing or give out sensitive info because of being fooled into thinking I am somewhere I am not. Am I making any sense, here?

Anyway, thanks for checking Pete, and giving me your take on this.

 

Here is what network associates has to say about the url-spoof

http://www.nai.com/us/index.asp
The mcafee web page is not the best place to use for mcafee info or updates. The link takes you to the corporate info and update pages. Virus index and how to clean trojans and other malware.

 

here is what symantec has about this trojan


http://securityresponse.symantec.com/avcenter/venc/data/urlspoof.exploit.html

 

Hi LowWaterMark,

Thank you, that is exactly what I have been wanting to hear. That was what I was thinking, but I wanted to hear it from someone with a lot more experience than I have. Pete and yourself will do just fine in that regard.

Hi bigc73542,

Thanks also for your additional postings on this matter. The Symantec info you posted is what I was referring to in my reply to Pete. On a personal note, I hope Nod32 will also implement a similar warning. Whether it is a test or the real thing is irrelevant to me. I am pretty careful in my surfing habits, but it just feels good to know someone's watching your back.

Thanks everyone.

 

I am sure that nod will ad this type of warning. They have a fine product that works very well. Like it has been said the best security device is between your ears.

 

Well, strangely enough, the Openwares patch updater woke up and asked for permission to connect when I started the computer this morning. I allowed it.

10:02:48 AM liveupdate.exe TCP www.openwares.org HTTP Browser HTTP connection

(That's from OutPost Pro's "Allowed Connections" log).

I did nothing other than turn on the computer. Pete