Mozilla and Firefox patch fixes exploit, 12 hours later
Posted: Wed Feb 09, 2005 3:18 am
Recent exploit is fixed in only 12 hours.
http://ftp.mozilla.org/pub/mozilla.org/ ... iary1.0.1/
More about the exploit:
Browser Exploit That Doesn't Affect IE - Shocks The World
According to a paper recently published by Eric Johanson of the Shmoo Group, users on most Mozilla-based browsers (Firefox 1.0, Camino .8.5, Mozilla 1.6, etc), Safari 1.2.5, Opera 7.54, Omniweb 5 are victim to a complex International Domain Name [IDN] spoof. This new attack allows an attacker/phisher to spoof the domain/URLs of businesses. Every recent gecko/khtml based browser implements IDN (which is just about every browser except for Internet Explorer). The Smoo Group have created a proof of concept where the links are directed at "http://www.pаypal.com/", which the browsers punycode handlers render as http://www.xn--pypal-4ve.com.
Proof of concept URL:
http://www.shmoo.com/idn/
Clicking on any of the two links in the above webpage using anything but IE should result in a spoofed paypal.com webpage.
The links are directed at "http://www.pаypal.com/", which the browsers punycode handlers render as http://www.xn--pypal-4ve.com.
This is one example URL - - there are now many ways to display any domain name on a browser, as there are a huge number of codepages/scripts which look very similar to latin charsets.
Phishing attacks are the largest growing class of attacks on the internet today.
Vulnerable browsers include (but are not limited to):
Most mozilla-based browsers (Firefox 1.0, Camino .8.5, Mozilla 1.6, etc)
Safari 1.2.5
Opera 7.54
Omniweb 5
Detection:
There are a few methods to detect that you are under a spoof attack. One easy
method is to cut & paste the url you are accessing into notepad or some other tool (under OSX, paste into a terminal window) which will allow you to view what character set/pagecode the string is in. You can also view the details of the SSL cert, to see if it's using a punycode wrapped version of the domain starting with the string 'xn-'.
Workaround:
You can disable IDN support in mozilla products by setting 'network.enableIDN'
to false. There is no workaround known for Opera or Safari.
http://ftp.mozilla.org/pub/mozilla.org/ ... iary1.0.1/
More about the exploit:
Browser Exploit That Doesn't Affect IE - Shocks The World
According to a paper recently published by Eric Johanson of the Shmoo Group, users on most Mozilla-based browsers (Firefox 1.0, Camino .8.5, Mozilla 1.6, etc), Safari 1.2.5, Opera 7.54, Omniweb 5 are victim to a complex International Domain Name [IDN] spoof. This new attack allows an attacker/phisher to spoof the domain/URLs of businesses. Every recent gecko/khtml based browser implements IDN (which is just about every browser except for Internet Explorer). The Smoo Group have created a proof of concept where the links are directed at "http://www.pаypal.com/", which the browsers punycode handlers render as http://www.xn--pypal-4ve.com.
Proof of concept URL:
http://www.shmoo.com/idn/
Clicking on any of the two links in the above webpage using anything but IE should result in a spoofed paypal.com webpage.
The links are directed at "http://www.pаypal.com/", which the browsers punycode handlers render as http://www.xn--pypal-4ve.com.
This is one example URL - - there are now many ways to display any domain name on a browser, as there are a huge number of codepages/scripts which look very similar to latin charsets.
Phishing attacks are the largest growing class of attacks on the internet today.
Vulnerable browsers include (but are not limited to):
Most mozilla-based browsers (Firefox 1.0, Camino .8.5, Mozilla 1.6, etc)
Safari 1.2.5
Opera 7.54
Omniweb 5
Detection:
There are a few methods to detect that you are under a spoof attack. One easy
method is to cut & paste the url you are accessing into notepad or some other tool (under OSX, paste into a terminal window) which will allow you to view what character set/pagecode the string is in. You can also view the details of the SSL cert, to see if it's using a punycode wrapped version of the domain starting with the string 'xn-'.
Workaround:
You can disable IDN support in mozilla products by setting 'network.enableIDN'
to false. There is no workaround known for Opera or Safari.