Firefox Exploit Code Published
A vulnerability in domain name support allows the bad guys to set up pretty good phishing sites.
Exploit code has been published regarding the IDN
vulnerability in Mozilla
The vulnerability resulted from International Domain Name (IDN) support being
incorporated in a variety of browsers. IDN support allows browsers to accommodate
international characters (e.g., nnnn;) within URLs included in HTML HREF
and other tags that point users to a site. Some international characters appear
the same as standard characters (e.g., а looks just like an "a"),
allowing a phisher to register a domain name which would appear the same as
another domain, yet be entirely different and, to some, legitimate.
The concern has been that criminals would use the IDN support to set up phishing
sites to lure unsuspecting visitors into providing details, or to deliver malicious
code to vulnerable browsers. The published exploit code attacks a buffer overflow
vulnerability in the IDN support within Mozilla Suite and Firefox. The vulnerability
comes about as a result of including a "soft-hyphen" character (0xAD)
in a URL. When processed by the browser, code of the attacker’s choice
can be executed.
Patches are available, as well as a workaround. Disabling IDN support prevents
attacks and is a highly recommended choice if you don’t expect to have
to visit sites that incorporate international characters in their URLs.
One really has to wonder about Domain Name registrars that permit the purchasing
of domains which can appear identical to some other well-known domain name.
In my book, those registrars should be considered complicit in any phishing
attempts made from domains they’ve registered.
According to a recent appellate court ruling in Arizona, sending e-mail
spam as text messages (e.g., SMS) to cell phones is as illegal as a 1991
federal law made the use of autodialers to call cell phone numbers.
Well, one has to wonder then why automatically sending e-mail spam to computer
e-mail accounts is any less illegal than the SMS messages to cell phones? In
my book, the type of device that the spam ends up in should be irrelevant.
The U.S. National Security Agency has been granted U.S. patent 6,947,978,
which defines a method of determining an Internet user's geographic location,
relying on measuring the latency between router hops.
This will make it easier for "Big Brother" to physically watch you
while you’re on the Internet. An Internet latency topology map is one
thing, but one wonders if they haven’t also got one for phone and cable
networks to narrow things down to the street or portion of the street your on.
The European Commission adopted a proposal saying details of all telephone,
Internet and e-mail traffic should be logged to combat terrorism and serious
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
There are currently two proposals regarding logging of connection details,
neither of which stipulates the logging of the content of such communications.
The idea is that through logging of connection information, such as who sent
whom an e-mail and when, police agencies will have access to more accurate and
longer-lived information than is currently the case. Fifteen of the 25 member
states in the EU have no requirements for logging at all, and the others have
various retention times and details.
The European Council’s proposal has already been blasted by LIBE,
a parliamentary committee. LIBE explained that the sheer volume of data available
would make it near impossible to effectively mine it for the nuggets of terrorism
or criminal information hoped for. Further, there is no proposal that would
make it impossible for measures to be circumvented by criminals or others.
The Council’s proposal puts the entire burden to fund the effort on those
who will be expected to comply: telecommunication companies, ISPs and the like.
The Commission’s proposal provides funding where there is "demonstrated"
need. In any event, both proposals may run afoul of strict EU privacy rules
-- for example, the EU Data Protection Directive (DPD) -- or, if effected, may
not pass muster when the data is attempted to be used in actual court cases.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.