 |
• January 29, 2004 •
Microsoft's aging browser Internet Explorer (version 6 was first released in October 2001), is continuing to show that it needs a complete overhaul.
Last year in November, a Chinese researcher discovered multiple vulnerabilities in Internet Explorer (versions 5.01, 5.5 and 6) that were reported on the Secunia security Web site.
Microsoft has been reportedly working on issuing a comprehensive fix for these issues, but testing is taking a long time. This week Microsoft published a Knowledge Base Article under the title: Microsoft plans to release a software update that modifies the default behavior of Internet Explorer for handling user information in HTTP and HTTPS URLs.
This is going to create a number of problems, notably for Web site management software, which frequently uses the http(s)://username:password@server/resource.ext syntax Microsoft is planning to remove support for.
The move is a response to the increasing use of this technique to open a deceptive (spoofed) Web site by malicious users. Many of these involve fake AOL, PayPal or banking Web sites, where unsuspecting users are conned to part with their credit card & personal details.
According to a recent FTC report, 43 percent of all consumer fraud complaints are related to Identity theft.
Just a day after Microsoft published their announcement that a fix would be forthcoming, security Web site Secunia published another advisory, outlining a vulnerability in Internet Explorer that allows malicious Web sites to "spoof" the file extension of downloadable files. Internet Explorer can be tricked into opening a file with a different application than indicated by the file extension by embedding a CLSID (a long numerical string that relates to a particular COM object) in the file name. This could be exploited to trick users into opening "trusted" file types which are in fact malicious files.
This latest exploit seems to be far from new, however. Georgi Guninski reported a similar trick almost three years ago, which involved an embedded CLSID to trick you into believing you were opening a text file, when in fact you had opened a .hta (HTML Application - executable) file. Guninski informed Microsoft in April 2001, and the fact that this was never fixed may be an indication it is nearly impossible to fix (without breaking functionality that has been used for years).
