Security Watch

Firefox Exploit Code Published

A vulnerability in domain name support allows the bad guys to set up pretty good phishing sites.

• By Russ Cooper
• 10/17/2005

The vulnerability resulted from International Domain Name (IDN) support being incorporated in a variety of browsers. IDN support allows browsers to accommodate international characters (e.g., &#nnnn;) within URLs included in HTML HREF and other tags that point users to a site. Some international characters appear the same as standard characters (e.g., а looks just like an "a"), allowing a phisher to register a domain name which would appear the same as another domain, yet be entirely different and, to some, legitimate.

The concern has been that criminals would use the IDN support to set up phishing sites to lure unsuspecting visitors into providing details, or to deliver malicious code to vulnerable browsers. The published exploit code attacks a buffer overflow vulnerability in the IDN support within Mozilla Suite and Firefox. The vulnerability comes about as a result of including a "soft-hyphen" character (0xAD) in a URL. When processed by the browser, code of the attacker’s choice can be executed.

Patches are available, as well as a workaround. Disabling IDN support prevents attacks and is a highly recommended choice if you don’t expect to have to visit sites that incorporate international characters in their URLs.

One really has to wonder about Domain Name registrars that permit the purchasing of domains which can appear identical to some other well-known domain name. In my book, those registrars should be considered complicit in any phishing attempts made from domains they’ve registered.

Privacy
According to a recent appellate court ruling in Arizona, sending e-mail spam as text messages (e.g., SMS) to cell phones is as illegal as a 1991 federal law made the use of autodialers to call cell phone numbers.

Well, one has to wonder then why automatically sending e-mail spam to computer e-mail accounts is any less illegal than the SMS messages to cell phones? In my book, the type of device that the spam ends up in should be irrelevant.

Governance
The U.S. National Security Agency has been granted U.S. patent 6,947,978, which defines a method of determining an Internet user's geographic location, relying on measuring the latency between router hops.

This will make it easier for "Big Brother" to physically watch you while you’re on the Internet. An Internet latency topology map is one thing, but one wonders if they haven’t also got one for phone and cable networks to narrow things down to the street or portion of the street your on.

The European Commission adopted a proposal saying details of all telephone, Internet and e-mail traffic should be logged to combat terrorism and serious crime.

There are currently two proposals regarding logging of connection details, neither of which stipulates the logging of the content of such communications. The idea is that through logging of connection information, such as who sent whom an e-mail and when, police agencies will have access to more accurate and longer-lived information than is currently the case. Fifteen of the 25 member states in the EU have no requirements for logging at all, and the others have various retention times and details.

The European Council’s proposal has already been blasted by LIBE, a parliamentary committee. LIBE explained that the sheer volume of data available would make it near impossible to effectively mine it for the nuggets of terrorism or criminal information hoped for. Further, there is no proposal that would make it impossible for measures to be circumvented by criminals or others.

The Council’s proposal puts the entire burden to fund the effort on those who will be expected to comply: telecommunication companies, ISPs and the like. The Commission’s proposal provides funding where there is "demonstrated" need. In any event, both proposals may run afoul of strict EU privacy rules -- for example, the EU Data Protection Directive (DPD) -- or, if effected, may not pass muster when the data is attempted to be used in actual court cases.