Internet Explorer 7 vulnerability - browser entrapment

Ok, *this* vulnerability demo is good.  Unlike other IE7 vulnerabilities that have been reported that resulted in weird behaviour that made it obvious to all but the most unobservant user that something weird is going on, this one is pretty much impossible to spot.

That being said, to take advantage of the vulnerability you're going to have to convince somebody to visit a hostile site, and then convince the visitor to manually type a URL into the addressbar instead of using a link or favorite to go to a page, limiting its effectiveness.

The worst vulnerabilities are the ones that require no user interaction, or require user action that is normal behaviour.  Now, although it is 'normal behaviour' to type URLs into an addressbar under some circumstances, and it is normal that people are advised to do so, it must be remembered that they are advised to do so **instead of clicking hyperlinks in an email**, not when at a Web site.

The demonstration is here:
http://lcamtuf.coredump.cx/ietrap/

The Secunia advisory is here:
http://secunia.com/advisories/23014/

 

Published Fri, Feb 23 2007 18:08 by sandi
Filed under:

Comments

# re: Internet Explorer 7 vulnerability - browser entrapment

Friday, February 23, 2007 6:39 AM by Sonic

Well, it doesn't really trap me. You can open a new tab and type the web site you want to enter then close the original tab.

# re: Internet Explorer 7 vulnerability - browser entrapment

Friday, February 23, 2007 7:04 AM by sandi

Sonic,

What you describe is also not "normal" behaviour.  The average person isn't going to take the steps you mention.

# IE 7 - New address bar spoofing vulnerability

Friday, February 23, 2007 8:17 AM by Harry Waldron - My IT Forums Blog

This new vulnerability is rated as low risk and could be used in phishing or other deceptive schemes

# IE 7 - New address bar spoofing vulnerability

Friday, February 23, 2007 8:17 AM by Harry Waldron - Microsoft MVP Blog

This new vulnerability is rated as low risk and could be used in phishing or other deceptive schemes

# On the forums: IE 7 - New address bar spoofing vulnerability

Friday, February 23, 2007 9:08 AM by Chris Mosby at myITforum.com

This new vulnerability is rated as low risk and could be used in phishing or other deceptive schemes

# These Exploits Cross All Boundries ~ IT Professionals

Monday, March 19, 2007 11:57 PM by These Exploits Cross All Boundries ~ IT Professionals

PingBack from http://www.lockergnome.com/nexus/it/2007/03/19/these-exploits-cross-all-boundries/

# re: Internet Explorer 7 vulnerability - browser entrapment

Tuesday, March 20, 2007 5:34 PM by gmueller

MIght I recommend "spoofstick" http://spoofstick.com/

It's free, and keeping an eye on the site it reports you are on, vs. what is showing in the address bar, will instantly alert you to the fact that you have been redirected to a spoofed site.