“Security researchers have uncovered a spoofing flaw in Internet Explorer that could turn out to be the perfect holiday gift for scammers,” Matthew Broersma reports for eWeek. “The bug, which has been confirmed on a fully patched Windows XP system with IE 6.0 and Service Pack 2, could allow a scammer to display a fake Web site with all the attributes of a genuine, secure site, including the URL and the icon indicating SSL security, according to researchers.”
“Because the vulnerability is found in one of Internet Explorer’s default ActiveX controls, scammers could use it to spoof the content of any site, researchers said. Users could be lured to the fake site via a link in an e-mail message, a tactic that continues to prove effective despite efforts to educate users,” Broersma reports. “There is currently no patch for the bug. Users can protect themselves by turning off ActiveX or switching the security level for the ‘Internet’ zone to ‘high,’ researchers said… Secunia has issued an advisory describing the issue and is offering an online demonstration to test browser vulnerability.”
“Thomas Kristensen, chief technology officer at independent security firm Secunia, said in a telephone interview. ‘Because this is embedded in IE by default, it’s possible to inject content into any Web site. There’s no way for a Web site to protect itself against this… Once it is displaying the site, if you follow best practices and look for the padlock, et cetera, you still won’t have a clue [that the site is spoofed]… It isn’t really even spoofing – you are really visiting the site, it’s just that another site is controlling what you see,'” Broersma reports.
Full article here.
Related MacDailyNews articles:
Virus and worm problems not just due to market share; Windows inherently insecure vs. Mac OS X – August 24, 2003
Sick of worms and viruses? ‘Move to Mac OS X’ suggests Chicago Tribune columnist – August 25, 2003
Chicago Sun-Times columnist: Windows ‘many holes in its security’ but ‘none of my Macs have ever been affected – August 26, 2003
Is Mac OS X really inherently more secure than Windows? – August 26, 2003
Shattering the Mac OS X ‘security through obscurity’ myth – August 28, 2003
Fortune columnist: ‘get a Mac’ to thwart viruses; right answer for the wrong reasons – September 02, 2003
Wall Street Journal’s Mossberg on making the switch from Windows to Mac – September 18, 2003
New York Times: Mac OS X ‘much more secure than Windows XP’ – September 18, 2003
Columnist tries the ‘security through obscurity’ myth to defend Windows vs. Macs on virus front – October 1, 2003
Gates: Windows ‘by far the most secure’ system; tries to use ‘Mac OS X secure through obscurity’ myth – January 27, 2004
Mac OS X has no viruses; what’s wrong with Windows? – February 11, 2004
SmartMoney: Long-suffering Windows users can only dare to dream of Mac’s ease-of-use – February 12, 2004
Spyware, adware plague Windows users online; Mac OS X users surf freely – April 19, 2004
Gartner: Worms jack up the total cost of Microsoft Windows – May 07, 2004
Windows ‘Scob’ virus designed to steal financial data, passwords; Macintosh unaffected – June 26, 2004
Tired of patching patches to patch Windows patches? Writer suggests getting a Mac – August 03, 2004
Mossberg: Dump your Windows machine and get an Apple Macintosh to free yourself of spyware – August 25, 2004
Millions of Windows PC’s hijacked by hackers, turned into zombies; Macintosh unaffected – September 08, 2004
Security is top priority in Apple’s Mac OS X – September 12, 2004
Windows XP worm speaks to users as it deletes their files; Macintosh unaffected – September 13, 2004
University of Chicago recommends all students patch Windows at least once a day – September 14, 2004
USA Today columinst angry about Windows viruses, adware, spyware – September 15, 2004
Windows besieged by hackers; number of Windows viruses soars by more than 400% – September 20, 2004
USA Today: people are switching from Windows to Mac because of security issues – September 21, 2004
Mossberg: Apple iMac G5 ‘powerful, affordable, virus-free with better, more modern OS than Windows XP’ – September 23, 2004
Information Security Investigator says switch from Windows to Mac OS X for security – September 24, 2004
Cyber-security adviser uses Apple Macintosh to avoid Windows’ security woes – September 27, 2004
Even Bill Gates can’t avoid Windows malware; Mac users surf the Web freely – October 03, 2004
Windows desktop monopoly threatened by secure, safe Apple Mac OS X – October 04, 2004
Windows users’ security woes spark interest in Apple’s secure Mac OS X – October 06, 2004
Microsoft: The safest way to run Windows is on your Mac – October 08, 2004
Windows users line up to pay for spyware removal; Mac users surf Web with impunity – October 18, 2004
Ballmer blames Windows users for not upgrading systems as Microsoft’s biggest security problem – October 22, 2004
Spyware plagues Windows users while Mac users surf Net with impunity – November 01, 2004
Microsoft: The safest way to run Windows is on your Mac – October 08, 2004
Sick of spyware, adware infecting your PC? Don’t fret, just get a Mac – November 01, 2004
Security test: Windows XP system easily compromised while Apple’s Mac OS X stands safe and secure – November 30, 2004
Security expert: Don’t use Microsoft Windows, Office, Outlook, Internet Explorer – December 09, 2004
Mossberg: Windows PCs plagued with problems, Apple’s Mac is ‘rock solid, elegant and affordable’ – December 09, 2004
Sick of spyware, adware headaches? Get a Mac and surf the Internet freely – December 13, 2004
Detroit Free Press: Windows malware problem getting worse, it’s time to get a Mac instead – December 16, 2004
Microsoft may charge extra for Windows spyware protection software – December 16, 2004
“…switching the security level for the ‘Internet’ zone to ‘high'”
Why would any reputable software engineering team not makes this the default, and totally remove any ability of the user to make the security level any less?
This along with Windows, how can ANYONE trust Microsoft as a reputable company? The next thing you know, they’ll start charging their own customers for software to fix MS software flaws.
…oops, I’m too late.
Ahhh, life as usual… in Micros**t world.
And they want you to pay more for security when their ish should be secure out of the box. Shameful.
Just got off the phone with a client who just switched to a Mac. His words, “I can’t believe I ever used that PC Windows crap. The Mac is just so much better.”
My words: “I tried telling you, but I stopped so that you can do it on your own.”
Go Apple. To hell with Microsoft.`
“….Because the vulnerability is found in one of Internet Explorer’s default ActiveX controls……”
Someone please set me straight if Im wrong here….but wasnt “ActiveX” determined to be the main cause for IE’s faulty security woes… years ago ??
If so…. why the heck is it still being used ??
btw… my magic word this time is “never”…. as in… I will NEVER use any MS crap !!
” width=”19″ height=”19″ alt=”LOL” style=”border:0;” />
Moof
Although, for only $49.95 users can upgrade to spoof free MS IE.
Isn�t all these Microsoft is full of crap stories just preaching to the choir? We know it sucks, do we need to keep getting it here? Other than Microsoft sucks and iPod news, there is not much Mac/Apple computer news/stuff going on.
Is MacWorld in SanFran in January just going to be an iPod love fest???
No new apple computers? Big upgrades? No non-iPod rumors?
No criticism for Apple and IBM for not getting their sh*t together and move the development of the computer biznis along???
This should be no surprise. MANY years ago, when Microsoft introduced the ActiveX technology, security experts warned that architecture of ActiveX had deep and fundamental flaws. And this was almost 10 years ago. Microsoft has not moved to address these fundamental flaws, and the company has had more than adequate time to do so.
Granted, few of us could forsee the creativity of hackers and scammers that is unfortunately so refined today. We cannot forget the real fault is with the sick minds who want to steal from others. But that does not excuse Microsoft from being arrogant. In their hubris to not address the known flaws in ActiveX, a lot of people may suffer this year and next. Frankly, I think the best thing Microsoft could do is to pull the plug on ActiveX and admit they made a mess of it!
Oh, and a reply to Reginald Duopoly above: dude, keep your pants on. You’ll soon see the latest from Steve. Besides, what’s a Christmas without a few good surprises? And if you want to get an idea of what Apple and IBM have in store, look at the cover article in this week’s InfoWorld magazine: http://infoworld.com/reports/50SRpower5.html
Happy holidays.
Reginald Duopoly,
I think the upcoming MacWorld in SF will be the official release of Tiger. I believe this because Steve has been promoting Tiger openly for over 6 months, since June 28, 2004 at the WWDC2004. And an even stronger indication is that the current promo for Panther ends the day before Steve’s upcoming MacWorld keynote speech.
I think the whole event will be on the incredible features and speed of Tiger (http://www.apple.com/macosx/tiger/), including the awesome new aps like Automator and VoiceOver. VoiceOver, as integrated into the OS as the mouse and keyboard, will bring us all one step closer to a StarTrek-like voice activated computer. Steve didn’t go from a one-button mouse to a two button mouse (follow Microsoft? No way!) because what he really wants to to do is go from a one-button mouse to NO MOUSE. This ability may require full 64-bit programming; whole words and phrases can be stored as a single byte, and manipulated as such.
I think this upcoming MacWorld with the Tiger release will be such a huge leap in the advancement of computer OSs, that even the Xp zombie wearing the MS issued blinders will be able to see the huge difference. XP will look like something from the 80’s.
On my Christmas wish list is that Steve also introduces an all new Publishing/Word program that’s fully integrated into iLife: Eliminating the final reason anyone would have to stay with MS.
Reginald Duopoly,
I sounds like you’re more interested in rumor sites. And, just in case your new here, MDN has big choir that loves to be preached to. (I guess it just feels good:)
mac dood:
It’s worse than that. There are many, many, many folks out there who consciously use IE because all the sites they visit work with it, and when they use a non-ActiveX browser, the sites don’t work. They simply don’t seem able to comprehend that all their other woes come from this single source: ActiveX.
Mike
These powerful brains are the same ones that build black audio control boxes that are controlled by PC RS-232 serial ports. The fact that you can’t buy a PC laptop with a serial port on it any more doesn’t phase them a bit. They post tutorials on selecting a USB to serial converter that will work with their system. No. Really.
Mr. Incredible…. thanx for your explaination…. I figured that was the case…
M. T. MacPhee…
Yeah, youre right about some people who use IE in a conscience manner… but, it seems that there are also those who have no clue that there are other browser options out there…and continue to use IE because its the one they learned on…
In my experience, I dont usually find websites which do not work with my Browsers…. (none are IE) …. and if I ever run across any…. all of my browsers have a neat little feature…. its called the “back” button !
” width=”19″ height=”19″ alt=”LOL” style=”border:0;” />
“Isn�t all these Microsoft is full of crap stories just preaching to the choir?”
You must be new here…
” width=”19″ height=”19″ alt=”grin” style=”border:0;” />
About the only good thing is that it helps with the Microsoft fanatics who say, “Well, I just got Windows XP SP2 so my Windows machine is now just as secure as your Mac!”
If this doesn’t sell another million or two Macs, nothing will! I’m emailing this article out to all friends, relations and rabbits telling them to get online to Apple.co.uk FAST.
ActiveX = ActiveTheft
Apple doesn�t want to sell more Macs….it can�t make enough to meet current demand.
It may be preaching to the choir, and there may be “not much Mac/Apple computer news/stuff going on”, but these wee gems are great for getting one’s point across to IT bonehead administration, who forgot what being a ‘user in the trenches’ was like as soon as they got their own offices.
At the schools here, classroom, lab, and teacher workstations (both mac and pc, just so’s you know) are going unrepaired because the admin windows workstations are taking all our time with *software* repairs — 95% of it malware. i’m told to tell teachers who complain that their classroom pcs are infected to ‘just unplug it from the network’.
Yah, right. How long d’you think it’ll stay that way, before the teacher gets frustrated or forgets due to the long wait-time and plugs it back in again so the students can do research and print?
Oh — and ‘student computers’ — which get lowest priority to repair — include any adaptive stations for special ed, even if required by IEP.
So much for supporting teaching and learning *in* the classroom.
So these bits, essentially laughing at Windows, are great ammo, and a lovely boost to the faithfuls’ self-esteem which get a beating everywhere else.
(my only wee gripe here is when the tidbits are linked to articles on sites that require registration to access the item. Boo!)