Comments on: vicious vicious browser exploit

By: Tungsten

Tungsten — Mon, 07 Feb 2005 23:11:56 +0000

Thank you!

By: Ted

Ted — Mon, 07 Feb 2005 22:11:50 +0000

Ouch. Yeah, I’ll be disabling IDN when I get home.

By: Cam

Cam — Mon, 07 Feb 2005 19:42:59 +0000

Yep. You’ve probably seen Josh’s explanation already, but if not, imagine that you’re a bad guy and you want to take advantage of this. What could you do?

It would be simple and effective to send out phishing email that would appear to direct people to a legitimate site but would really direct them to your own con-artist website.

Or let’s imagine that you manage to hack into a website, say, the Red Cross site. Instead of announcing “this site is pwnz0red!” you make a visually indetectible change that sends visitors to your con-artist website to make their donations. Depending on how clever you are and how careful the site administrators are, you could collect quite a bundle.

By: Ted

Ted — Mon, 07 Feb 2005 18:34:19 +0000

Is this something you need to worry about if you don’t have your own website?

By: StopIE

StopIE — Mon, 07 Feb 2005 17:05:31 +0000

Actually Firefox is still far more secure.

The only reason that this vulnerability doesn’t affect IE is that IE doesn’t follow the IDN standard at all.

It can be turned off extremely easily in Firefox:
1) type about:config in the address bar
2) disable “network.enableIDN”

By: Rechercher

Rechercher — Mon, 07 Feb 2005 16:41:47 +0000

So much for Firefox being more secure than IE.