Internet Explorer 7 vulnerability - browser entrapment

Ok, *this* vulnerability demo is good.  Unlike other IE7 vulnerabilities that have been reported that resulted in weird behaviour that made it obvious to all but the most unobservant user that something weird is going on, this one is pretty much impossible to spot.

That being said, to take advantage of the vulnerability you're going to have to convince somebody to visit a hostile site, and then convince the visitor to manually type a URL into the addressbar instead of using a link or favorite to go to a page, limiting its effectiveness.

The worst vulnerabilities are the ones that require no user interaction, or require user action that is normal behaviour.  Now, although it is 'normal behaviour' to type URLs into an addressbar under some circumstances, and it is normal that people are advised to do so, it must be remembered that they are advised to do so **instead of clicking hyperlinks in an email**, not when at a Web site.

The demonstration is here:
http://lcamtuf.coredump.cx/ietrap/

The Secunia advisory is here:
http://secunia.com/advisories/23014/

 

Published Friday, February 23, 2007 6:08 PM by sandi
Filed under:

Comments

# re: Internet Explorer 7 vulnerability - browser entrapment

Well, it doesn't really trap me. You can open a new tab and type the web site you want to enter then close the original tab.

Friday, February 23, 2007 6:39 AM by Sonic

# re: Internet Explorer 7 vulnerability - browser entrapment

Sonic,

What you describe is also not "normal" behaviour.  The average person isn't going to take the steps you mention.

Friday, February 23, 2007 7:04 AM by sandi

# IE 7 - New address bar spoofing vulnerability

This new vulnerability is rated as low risk and could be used in phishing or other deceptive schemes

Friday, February 23, 2007 8:17 AM by Harry Waldron - My IT Forums Blog

# IE 7 - New address bar spoofing vulnerability

This new vulnerability is rated as low risk and could be used in phishing or other deceptive schemes

Friday, February 23, 2007 8:17 AM by Harry Waldron - Microsoft MVP Blog

# On the forums: IE 7 - New address bar spoofing vulnerability

This new vulnerability is rated as low risk and could be used in phishing or other deceptive schemes

Friday, February 23, 2007 9:08 AM by Chris Mosby at myITforum.com

# These Exploits Cross All Boundries ~ IT Professionals

PingBack from http://www.lockergnome.com/nexus/it/2007/03/19/these-exploits-cross-all-boundries/

Monday, March 19, 2007 11:57 PM by These Exploits Cross All Boundries ~ IT Professionals

# re: Internet Explorer 7 vulnerability - browser entrapment

MIght I recommend "spoofstick" http://spoofstick.com/

It's free, and keeping an eye on the site it reports you are on, vs. what is showing in the address bar, will instantly alert you to the fact that you have been redirected to a spoofed site.

Tuesday, March 20, 2007 5:34 PM by gmueller