latest IE URL spoofing vulnerability

Discussion in 'other security issues & news' started by PhilThePill, Dec 29, 2003.

Thread Status:
Not open for further replies.
  1. PhilThePill

    PhilThePill Registered Member

    Joined:
    Dec 10, 2003
    Posts:
    6
    Location:
    Montreal, CANADA
    Hi all...

    This is my first time here, though I'm active in 4 other forums.

    As the last post on IE flaws seems to be dated in October (?), and having scoured the site, it seemed like the right place (and time) to post this little tidbit I stumbled upon tonight, trying to get a fix for the latest IE URL spoofing vulnerability (not yet patched by MS in December). I thought it wise to let you in on this little temporary and working(!) patch from http://security.openwares.org/

    BTW, this is FRESH (dated Dec. 20th)

    There are 2 exploit test buttons (for before and after the patch is applied) located here : http://security.openwares.org/

    You won't need 2 aspirins to feel better in the morning ! It works right away... ;)

    Regards to all, Phil
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi PhilThe Pill :)
    Welcome to wilders.

    This thread looks like it is related

    http://www.wilderssecurity.com/showthread.php?t=18091;start=msg112349#msg112349





    snowbound
     
  3. PhilThePill

    PhilThePill Registered Member

    Joined:
    Dec 10, 2003
    Posts:
    6
    Location:
    Montreal, CANADA
    From the same link above, this :
    And this :
    It was submitted on the 20th, but updated on the 28th.

    ...in regards to the post you mention, I guess I didn't look hard enough... :doubt:

    Oh well...
     
  4. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    I tried to go to the link in the first post but my mcafee virusscan won't allow me to open the page it says it has the exploit url spoof virus on the site so I guess I didn't need to see it anyway since I never, never, open internet explorer anyway.
     

    Attached Files:

  5. Vietnam Vet

    Vietnam Vet Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    306
    Hi bigc73542,

    Looked to me like that virus warning said the infected file name was Opera and that it needed to be deleted............so! :eek: :rolleyes: :D
     
  6. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Oh no no. The virus name is in the following screen shot. THe virus was in the opera cache. And was deleted.
     

    Attached Files:

  7. Vietnam Vet

    Vietnam Vet Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    306
    Just kidding you know. Maybe I needed more of these :D :D :D
     
  8. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    i think it must have been the google eyes on the first reply,It threw me off :eek:
     
  9. Vietnam Vet

    Vietnam Vet Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    306
    OK, now back to being serious for a minute. On that site they do have a couple of test exploits for the url spoofing vulnerability. I assume that is what McAfee is alarming on(NOD32 doesn't even blink). I did not go running around the site trying to see if anything else was incognito.

    Was just curious if anyone else was getting an alert on that site. Wouldn't think the board management would allow the link to remain if there was a serious risk there. Maybe it all boils down to which antivirus programmers have added support to their products for the spoofing vulnerability. Not sure, but I think NAV did. If that is the case here, it would be nice to know someone was watching over my shoulder in case I get careless. Anyone else curious?

    Oh and by the way, I am not necessarily saying it is the antivirus community's responsibility here. I used that as an example simply because it was an antivirus alert that got my attention here in the first place.
     
  10. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    I won't try to say mcafee is infalable but I have used it for a long time and it doesn't false alarm hardly ever. Not to say that it didn't on this ocassion but it would be out of the ordinary for it to do so. I probably in the last four years that I have used mcafee almost exclusively have not gotten over four false positives. But you never know.
     
  11. Vietnam Vet

    Vietnam Vet Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    306
    Well, maybe I am way out in left field here, because I am certainly no expert on what is actually happening. If McAfee is alarming on an actual virus that is on that site looking to infect someone by using the spoofing exploit, that is a whole different can of worms here. And if that is so, I just got a whole lot more concerned about the fact that NOD32 slept through the whole thing when I went there.

    I was thinking more along the lines that McAfee was warning about an actual spoofed URL, which is what the test exploit there is doing by pretending to send you to a Windows Update site, when it actually goes to openwares.org(66.226.81.182). If that is the case, then I don't think that is a false alarm at all by McAfee. Possibly overkill calling it a virus, but not a false alarm.

    Seems to me that the possibilities here are:
    1. There is an actual virus that I am feeling particularly unprotected against.
    2. It is a false alarm on something McAfee perceived to be an actual virus.
    3. It is a true warning about an exploit, using rather strong terminology to identify the exploit.
    3a. Terminology could be intentional to make people notice.

    Your thoughts(or anyone's, for that matter) would be appreciated.
     
  12. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    VV - I'm certain that NOD's not reporting anything because there isn't anything to report.

    I cleared all my logs in OutPost and SpyBlocker and went to both test pages - nothing logged (had NOD32 running, of course and TDS-3).

    What I'm not clear about is whether you've got the Openware patch installed or not - do you? I have it installed and it works fine.

    I can't find anything on the McAfee site about the exploit being covered, can you? I don't use McAfee, so I probably don't have the same access to everything that you do.

    I'll take "c". Pete
     
  13. Vietnam Vet

    Vietnam Vet Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    306
    Hi spy1,

    No, I do not have the patch installed from Openware. I know that with the last version all of the "bugs" are supposed to be fixed, but considering my surfing habits, I really haven't been too concerned about the vulnerability yet. Was kind of waiting for Microsoft to address this, although I can't give you a good reason to have more faith in them. The only thing I was wondering about, actually, is if there is a real virus on that page and NOD isn't catching it.

    I don't have McAfee either, so I don't have access to anything you don't have access to. It was the alert that bigc73542 is getting that got my attention.

    Symantec added a detection on 12/31/03 that they identified as URLSpoof.Exploit(Category1).

    URLSpoof.Exploit is a detection for HTML code contained within a Web page that displays as URL of a legitimate Web site.
    Also Known As: Exploit-URLSpoof [McAfee]

    So obviously, McAfee has detection for the same thing. What is about clear as mud to me is the "HTML code contained" part of that. Does that mean they are identifying actual malicious code(as in, gonna do something bad to me right now), or simply a spoofed url with the POTENTIAL to do something bad if I click the wrong thing or give out sensitive info because of being fooled into thinking I am somewhere I am not. Am I making any sense, here?

    Anyway, thanks for checking Pete, and giving me your take on this.
     
  14. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Yes, you are making sense and it is the second half of your statement that is correct. There is no real malicious code at that site, as in gonna do something bad to you right now.

    The alert that some AV products provide is a possible "exploit-based" warning only, alerting you to the fact that there is a potential for concern and that you should look closer and be sure you are at the correct (real) website that you believe you are at. (That's the whole concern with this particular exploit is that it allows you to think you are at one site, but you are really at a spoofed site. The HTML Code in this case is the text in the URL line itself.)

    They don't differentiate between an exploit demo site and a site that is really spoofing for some malicious purpose because they can't. The malware signature they are picking up on is merely the presence of spoofing text in the URL string itself, nothing more.
     
  15. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Here is what network associates has to say about the url-spoof

    http://www.nai.com/us/index.asp
    The mcafee web page is not the best place to use for mcafee info or updates. The link takes you to the corporate info and update pages. Virus index and how to clean trojans and other malware.
     

    Attached Files:

  16. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    here is what symantec has about this trojan


    http://securityresponse.symantec.com/avcenter/venc/data/urlspoof.exploit.html
     

    Attached Files:

  17. Vietnam Vet

    Vietnam Vet Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    306
    Hi LowWaterMark,

    Thank you, that is exactly what I have been wanting to hear. That was what I was thinking, but I wanted to hear it from someone with a lot more experience than I have. Pete and yourself will do just fine in that regard.

    Hi bigc73542,

    Thanks also for your additional postings on this matter. The Symantec info you posted is what I was referring to in my reply to Pete. On a personal note, I hope Nod32 will also implement a similar warning. Whether it is a test or the real thing is irrelevant to me. I am pretty careful in my surfing habits, but it just feels good to know someone's watching your back.

    Thanks everyone.
     
  18. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    I am sure that nod will ad this type of warning. They have a fine product that works very well. Like it has been said the best security device is between your ears. :D
     
  19. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Well, strangely enough, the Openwares patch updater woke up and asked for permission to connect when I started the computer this morning. I allowed it.

    10:02:48 AM liveupdate.exe TCP www.openwares.org HTTP Browser HTTP connection

    (That's from OutPost Pro's "Allowed Connections" log).

    I did nothing other than turn on the computer. Pete
     
Loading...
Thread Status:
Not open for further replies.