[THIN] Article: Browser Feature Could Make Scams Easier..IE safer?

  • From: "Jim Kenzig http://thethin.net" <jimkenz@xxxxxxxxxxxxxx>
  • To: thin@xxxxxxxxxxxxx, windows2000@xxxxxxxxxxxxx
  • Date: Tue, 8 Feb 2005 04:32:17 -0800 (PST)

Sometimes having all those extra languages isn't so great....

Jim

Browser Feature Could Make Scams Easier 

By ANICK JESDANUN, AP Internet Writer 

http://story.news.yahoo.com/news?tmpl=story&cid=528&ncid=528&e=3&u=/ap/20050207/ap_on_hi_te/web_browser_flaw

NEW YORK - An Internet browser feature meant to permit Web addresses in 
Chinese, Arabic and other languages could encourage online fraudsters by making 
scam Web sites look legitimate to visitors. 

For once, the affected browser is not the industry-leading Internet Explorer 
from Microsoft Corp. but rather several of its more robust competitors. 

That's because the aging IE lacks support for internationalized domain names ? 
at least without a plug-in, which would then make IE vulnerable. 

"It's kind of ironic that it affects some of the supposedly safer browsers," 
said Neel Mehta, a research engineer at the Internet Security Systems Inc. 

A fix won't be easy because the vulnerability, publicized at a weekend hacker 
conference, that enables so-called "phishing" scams involves a feature, not a 
coding error. 

Engineers at the Mozilla Foundation, developer of the No. 2. Firefox browser, 
said they were reviewing options and should have more to say within a few days. 

The maker of the Opera browser said in a statement that although a fix is 
possible, "it's extremely hard to find a balance between making the fix too 
comprehensive or too limited. Even though you limit yourself you can create 
problems for valid domains." 

Officially, the Internet's Domain Name System supports only 37 characters ? the 
26 letters, 10 numerals and a hyphen. 

But in recent years, in response to a growing Internet population worldwide, 
engineers have been working on ways to trick the system into understanding 
other languages. 

Engineers have rallied around a character system called Unicode. The newly 
discovered exploit takes advantage of the fact that characters that look alike 
can have two separate codes in Unicode and thus appear to the computer as 
different. For example, Unicode for "a" is 97 under the Latin alphabet, but 
1072 in Cyrillic. 

Subbing one for the other can allow a scammer to register a domain name that 
looks to the human as "paypal.com," tricking users into giving passwords and 
other sensitive information at what looks like a legitimate site. 

Some browsers, including Firefox, let users deactivate the other character sets 
but doing so is complicated and would cut off access to the relatively few 
sites that use non-English characters in their addresses. 

A better solution is to always manually type Web address directly into a 
browser rather than clicking on a link sent via e-mail or even copying and 
pasting that link. 

The potential for the vulnerability has been known for awhile, but it has only 
recently gained the attention of security experts as non-English domain names 
become a reality. 

Eric Johanson, an independent security consultant in Seattle, publicized it on 
Sunday, saying he wanted to pressure vendors to act. 

Dan Hubbard, director of security at Websense Inc., which monitors phishing 
scams, said he knew of no e-mails circulating on the Internet that take 
advantage of the vulnerability, but he expects scammers to start using it soon 
to target non-IE browsers. 

Hubbard said plenty of flaws already exist with IE because users don't keep up 
with security updates. 

"Attackers will check to see what browser you're using and then use 
vulnerability A if it's Internet Explorer and B if it's Mozilla Firefox," 
Hubbard said. 

But Johannes Ullrich, chief technology office with the SANS Institute's 
Internet Storm Center, said scammers may focus on exploiting other flaws 
because IE remains dominant. 

"Right now the one thing that will likely prevent them from using it is that 
Internet Explorer users will not be able to see the page at all," he said

Other related posts:

  • » [THIN] Article: Browser Feature Could Make Scams Easier..IE safer?