n2jtx
join:2001-01-13
Glen Head, NY |  It makes you wonder...
...how long a fix would take if the exploit had not been made public. At least now we get a chance to see how fast Microsoft can fix things. |
|
ArchAngel21x
MacFan Pro
Premium
join:2001-10-28
Lincoln, NE | This is what I wonder. What is the incentive to delay making a patch for a problem, known or unknown? |
|
neftv
join:2000-10-01
Broomall, PA | Wow my antivirus caught it
When I clicked on "demonstrated here" my antivirus reported a trojan but it could not clean it or move it. |
|
Morac
join:2001-08-30
Riverside, NJ
 ·Comcast
| Microsoft's Solution
"The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself." - »support.microsoft.com/default.as···];833786 |
|
SpyderWoman
Premium
join:2002-06-11
Mustang, OK
clubs:
| Talk about an "educate the user" problem!! Microsoft's recommendation begins with:
"Verify that there is a lock icon in the lower right Status bar and verify the name of the server that provides the page that you are viewing before you type any personal or sensitive information."
Well, it's already been demonstrated in our Security forum that the lock can be spoofed. So that's not a safe indicator. The Microsoft article goes on to say to then right click on the lock symbol and check the source of the digital signature. I'm not certain but what that couldn't be spoofed up or obfuscated enough to confuse most users.
Most of the people "falling" for these phishing expeditions do not have the knowledge available right here in this forum: they are trusting their email to be a "what you see is what you get" thing, and while you and I know it's not that way, they don't.
Does anyone really think that the general public is going to get that boned up on this stuff? Heck, 90% of them never heard the simple guideline: "most legitimate businesses won't even ask you to update over the internet via email" much less the stronger guideline "when in doubt, don't until after YOU VERIFY either by email or phone call, that the request is legitimate". |
|
mastermind278
Premium
join:2001-07-12
Newark, NJ
clubs: 
 ·Optimum Voice
·Optimum Online
| My solution seems to be stop using IE, or let Mcafee catch it for me.
--
Mastermind 4 Life ® ™ © |
|
banditws6
Shrinking Time and Distance
join:2001-08-18
Naples, FL
·Comcast
| What's with Microsoft?
My parents nearly fell victim to one of these new phishing scams while I was sitting in the same room over the Christmas holidays. They had received some kind of email from Earthlink (their dialup ISP) claiming that their credit card did not go through on the last attempt to automatically bill, and that they needed to go to a web page and enter a new credit card. My dad was actually going to do it, but at the last minute he decided to get my mom and ask her to make sure the credit card he was entering was a good one to use.
Hearing that, I happened to take an interest in what he was doing and was immediately suspicious. But the "padlock" icon in the browser was on, and the URL bar showed an address at earthlink.net. Must be all right, I thought. But then I remembered the new phishing scams -- which I read about here on DSLR -- and so I went back to the email and checked the source code. Sure enough, it utilized this exploit to pass a false Earthlink URL to the browser. If I hadn't been a frequent visitor of this site, I might have allowed my dad to submit his credit card info to the scammers! Fortunately I caught it and was able to stop my parents from proceeding before they submitted the form.
That Microsoft blithely ignores this problem is sheer stupidity. On my home computer, I've switched to Mozilla Firebird full-time and I'm not missing IE in the slightest. In fact, using Firebird has allowed me to see just how poorly IE interprets a lot of CSS and other markup!
--
"I'll follow the law until it's just stupid." -Ted Nugent |
|
woody7
Premium
join:2000-10-13
Torrance, CA
 ·EarthLink
·DSL EXTREME
| Hmmmmmmmmmmmmm......
Just don't use IE...I get this scam with CitiBank, Earthlink, etc.....they look pretty real, I use FireBird, and if there is a problem with the billing,they can contact me by mail or phone....but what I see as another concern, is that if it wasn't for DSLR, I wouldn't know about this ......Earthlink has never alerted me to the scam.....nor CitiBank....I don't even hear about it on tv...............Just my thoughts
--
BlooMe |
|
Zunger
join:2003-08-24
Fayetteville, AR
| Anyone who falls more most of these exploits must not be able to read. On most things you signup for (paypal for example) it clearly says it will never emailing you asking for this. But people are still falling for it, maybe they need to offer a crash course on reading on dslr. |
|
Nam Vet
Premium
join:2001-12-03
Allentown, PA | reply to n2jtx
Re: It makes you wonder...
LOL its M$, Does anyone really believe that they will fix this before 2006? |
|
Transmaster
Don't Blame Me I Voted For Bill and Opus
join:2001-06-20
Cheyenne, WY
·Qwest.net
| Sad
I just told my parents not to use their credit cards on the
net at all. but to look them up on Qwestdex, or Verison Superpages and call them.
It is really sad that Microsoft in their arrogance threatens
the trust of online transactions E-commerce has been trying to sell to the public for years. I always just call to make
any purchases I want, I like talking to the company anyway
you can really get a feel for an outfit by how they treat you on the phone.
--
Remember when hacking a loogy it comes not so much from the lungs but from the soul. |
|
Sunburn
join:2000-10-05
Denver, CO | reply to Zunger
Re: Hmmmmmmmmmmmmm......
You do not need to know how to read, just use Firebird. It does it all for you. |
|
rchandra
Stargate S G-1 And Atlantis Fan
Premium
join:2000-11-09
14225-2105
clubs:
| third party?
I don't use I.E. on a regular basis, so I'm not so vigilant about its problems, but I was wondering about those third-party patch guys...have they tried again? I don't remember their domain name. Last I read, their patch had buffer overflow problems, so I wonder if they've had a re-release.
Open source...yeah, right. I couldn't find any source when I looked at their site.
--
English is a difficult enough language to interpret correctly when its rules are followed, let alone when a writer chooses not to follow those rules. Blog is here |
|
Omega
Displaced Ohioan
Premium
join:2002-07-30
Cheyenne, WY
clubs: | reply to mastermind278
Re: Microsoft's Solution
The way I do it is just look at the status bar at the bottom of IE. It shows you the true link. |
|
Jeremy341
Bye
Premium
join:2000-01-06
localhost
| reply to Nam Vet
Re: It makes you wonder...
said by Nam Vet  :
LOL its M$, Does anyone really believe that they will fix this before 2006?
It's already been fixed in SP2. And considering the fact that SP2 is coming out this year, I'll have to disagree with you. |
|
nascar24
join:2000-12-20
Sterling Heights, MI
1 edit | Firebird!
Firebird appears to be the correct answer:D
Great browser, If people would just start dumping IE MS might get off their butt and start some innovation |
|
ParanoiaInc
join:2002-08-28
Tucker, GA | reply to Morac
Re: Microsoft's Solution
True, but for those in a rush this is still a major problem when the fake links start infecting search engines. |
|
rid0617
join:2003-07-20
Greer, SC | Don't use IE
I don't use IE unless its one of the banking sites that don't accept firebird. And then I type in the complete address. Don't have that much spare money to lose to wait on Micro$oft |
|
Morac
join:2001-08-30
Riverside, NJ
·Comcast
| reply to Omega
Re: Microsoft's Solution
said by Omega :
The way I do it is just look at the status bar at the bottom of IE. It shows you the true link.
There's a very easy way to stop the real address from showing up in the status bar. Just add a NULL character (%00) after the %01 character in the URL. Then the fake URL will show in the status bar.
Or use scripting to obscure it.
Either way, looking at the status bar doesn't guarantee you're going to a real site. |
|
lefty1
join:2002-10-25
Clay, NY | Patch is available
You can download a free patch for this flaw in IE by going to »www.openwares.org. Be sure to type the address; don't just click on the link. |
|
