Drobe :: The archives
About Drobe | Contact | RSS | Twitter | Tech docs | Downloads | BBC Micro

Fresco suffers IE URL bug

By Chris Williams. Published: 17th Dec 2003, 14:26:35 | Permalink | Printable

Don't get spoofed

Security A recently discovered bug in Microsoft's Internet Explorer allows anyone to maliciously fake the URL shown in the address bar, in order to gain the user's trust. As revealed by Michael Poole, the RISC OS browser Fresco is also susceptible to this vulnerability.

Exploiting this flaw, fraudsters could create websites that are designed to collect sensitive information from net users, while disguising the rogue webpages as official websites. Web surfers are being warned to not follow links from untrusted sources.

While Fresco 2.13 was shown to be vulnerable, Oregano 1 and 2 and Browse both reject the malformed URLs used in the exploit.

Links


Internet Explorer URL Spoofing Vulnerability details - includes online test IE bug provides phishing tool from ZDnet

Previous: MyRISCOS re-organisation details leaked
Next: ViewFinder firmware confusion settled

Discussion

Viewing threaded comments | View comments unthreaded, listed by date | Skip to the end

Ooh, not very often that RISC OS stuff suffers the same flaws as Microsoft products ;)

Andy. Woot.

 is a RISC OS Userandypoole on 17/12/03 2:49PM
[ Reply | Permalink | Report ]

Encoded null characters in URLs? Let's hope Fresco doesn't treat codes 2 and 3 too liberally, as the dot matrix printer fires up and proceeds to "print" the desktop. ;-)

 is a RISC OS Userguestx on 17/12/03 3:04PM
[ Reply | Permalink | Report ]

Surely the positive side of this is that Oregano, one of the Browsers actually still being developed for our platform rejcts these malformed URLs?.

Has anyone tried this online test on Webster XL?. My guess is that it will not show the malformed URLs but I will be interested to see if that is because it is secure or because it crashes :-).

Vic

 is a RISC OS Uservshears on 17/12/03 3:16PM
[ Reply | Permalink | Report ]

WebsterXL shows the full address and complains about it when you click on it.

Webite just goes to the fake address (e.g. microsoft.com) and ignores the 'real' addres.

 is a RISC OS UserGrek1 on 17/12/03 3:20PM
[ Reply | Permalink | Report ]

Thank you I am at work and my RiscPC is at home so I could not test it myself.

Vic

 is a RISC OS Uservshears on 17/12/03 3:49PM
[ Reply | Permalink | Report ]

NetSurf says "Unable to fetch document"

 is a RISC OS UserAndrewDuffell on 17/12/03 4:12PM
[ Reply | Permalink | Report ]

Now that's doing us a service! Another job for Paul Vigay possibly!

 is a RISC OS UserAW on 17/12/03 4:17PM
[ Reply | Permalink | Report ]

Hmm. The explot they describe does *not* rely on malformed URLs (%01 and %00 are valid sequences), but the example they give does not encode the %01 and hence *is* malformed, and proper browsers should reject it.

Still leaves the question of whether the description of the exploit is correct and if so whether some RISC OS browsers still reject it (falsely), just display the fake part (replicating the problem with IE, apparently) or actually go to the fake part (still false, though not too dangerous).

 is a RISC OS Userninja on 17/12/03 4:51PM
[ Reply | Permalink | Report ]

It isn't so much the 00 and 01 sequences (I can't get the percent symbol in front of them) being illegal as what the application does with them. Certainly, alarm bells would be ringing with me if I had written code which turned arbitrary hex numbers into byte values, knowing that my string datatype wasn't null safe and that a null could cause some interesting behaviour later on.

 is a RISC OS Userguestx on 17/12/03 6:20PM
[ Reply | Permalink | Report ]

Here's another one in a similar vein: [link] (add %20s to taste). It only works if the address bar is left justified and the browser parses URLs before displaying them (ArcWeb, Browse and Mozilla don't).

 is a RISC OS Usercaliston2 on 17/12/03 8:19PM
[ Reply | Permalink | Report ]

What is NetSurf?

 is a RISC OS Userpipalya on 18/12/03 9:02AM
[ Reply | Permalink | Report ]

Try the drobe article search. You'll have to go as far as the first hit.

 is a RISC OS Usermrchocky on 18/12/03 9:08AM
[ Reply | Permalink | Report ]

or try [link]

 is a RISC OS UserAndrewDuffell on 18/12/03 4:06PM
[ Reply | Permalink | Report ]

Please login before posting a comment. Use the form on the right to do so or create a free account.

Search the archives

Today's featured article

  • A9home DIY laptop: first pictures
    And other odds and sods from the Christmas 2007 show
     22 comments, latest by sa110 on 1/6/08 4:47PM. Published: 1 Dec 2007

  • Random article

  • Chaos Engine demo now available from VOTI website

     Discuss this. Published: 13 Sep 2000

  • Useful links

    News and media:
    IconbarMyRISCOSArcSiteRISCOScodeANSC.S.A.AnnounceArchiveQercusRiscWorldDrag'n'DropGAG-News

    Top developers:
    RISCOS LtdRISC OS OpenMW SoftwareR-CompAdvantage SixVirtualAcorn

    Dealers:
    CJE MicrosAPDLCastlea4X-AmpleLiquid SiliconWebmonster

    Usergroups:
    WROCCRONENKACCIRUGSASAUGROUGOLRONWUGMUGWAUGGAGRISCOS.be

    Useful:
    RISCOS.org.ukRISCOS.orgRISCOS.infoFilebaseChris Why's Acorn/RISC OS collectionNetSurf

    Non-RISC OS:
    The RegisterThe InquirerApple InsiderBBC NewsSky NewsGoogle Newsxkcddiodesign


    © 1999-2009 The Drobe Team. Some rights reserved, click here for more information
    Powered by MiniDrobeCMS, based on J4U | Statistics
    ""
    Page generated in 0.126 seconds.