Tuesday, February 08, 2005

URLs from 2/8/05

Problems with Windows 98 shutdowns.

New browser spoofing vulnerability

The following is from Patrick Douglas Crispen's Internet Tourbus:

New Browser Spoofing Vulnerability
Audience: Everyone who DOESN'T use Internet Explorer

It looks like there is a new browser spoofing vulnerability that-- brace yourself--DOESN'T affect Internet Explorer. No, really. Affected browsers include Mozilla, Firefox, Safari, Netscape Navigator, and Opera on both PCs and Macs. But NOT Internet Explorer.

The vulnerability displays fake domain names in both hyperlinks and your browser's address bar. Is this earth-shattering? No. Should you lose sleep over it? No. Should you at least know a little about it in order to protect your personal information should something strange happen? ABSOLUTELY!

To see this vulnerability in action, check out


Now for the REALLY bad news: There's no way to fix this problem. Yet. [Setting network.enableIDN to false in about:config doesn't work and even SpoofStick is fooled by these fake URLs, despite rumors to the contrary floating around the blogsphere.] Should you panic? As I said, no! But, until the browser gurus find a fix, you should take the following precautions:

1. DON'T TRUST HYPERLINKS IN HTML-FORMATTED EMAIL MESSAGES (emails that display images and hyperlinks and look very much like web pages) even if those email messages are from your friends or family. This is especially true for hyperlinks in email messages from Amazon, AOL, eBay, PayPal, your bank, your credit card company, or any other company you normally do business with. If any web site, financial company, or commercial entity sends you an email asking you to click on a hyperlink in that email to update your account information, DO NOT CLICK ON THAT LINK. Because of this new spoofing vulnerability, you simply cannot trust hyperlinks in HTML- formatted emails to point to the correct URL.

2. BE SUSPICIOUS OF HYPERLINKS ON WEB PAGES YOU HAVE NEVER VISITED BEFORE. To be completely honest, the chance of you running into a spoofed URL on a web page is pretty slim, andthe chance is all but zero on the big .com sites you visit every day. More likely than not, the criminals will be spoofing URLs in email messages, not on Web pages. But, if you are at a web page you have never visited before, exercise a little caution. If something feels wrong, leave.

3. THE BEST WAY TO AVOID BEING HIJACKED BY A SPOOFED URL IS TO MANUALLY TYPE THE URL USING YOUR BROWSER'S ADDRESS BAR. Remember, the spoof only affects hyperlinks in email messages and web pages, not addresses you manually key in to your browser's address bar. So,to be really safe, if you need to access your account information at Amazon, AOL, eBay, PayPal, your bank or financial institution, your credit card company, or any other company you normally do business with, manually enter the URL.

--Thanks, Patrick!