Safari phishing vulnerability

attica:

To my knowledge, the problem you depict is not a Safari problem. Most of us, regardless of browser, get E-mails that attempt to secure personal information. In fact, I got one on a heavily protected government computer in a Windows environment running IE with all the latest updates. The phishing can be ignored....just do not respond to requests for data.

The correct procedure (many sites, including eBay, recommend you be very sure the message is from the correct source) is NOT to respond to requests for information unless you are sure about the souurce. When in doubt, check. My bank posts the same warning.

Barry

Attica's absolutely right and pay attention. Proof of concept is right here:

http://www.shmoo.com/idn/

Wake up, Apple.

Here's a quick fix that will work until Apple changes IDN support in Safari.

------
**Do not hold me responsible for your misfortunes if you follow these instructions. Save a back-up copy of Safari)

FIRST, QUIT Safari! (maybe you should print these instructions first, unless your memory is great)

1) You must have the dev tools installed and quit Safari.
2) Show Package Contents of Safari and go to the folder Safari>Contents>Resources>English.lproj and open up the file called Browser.nib
3) Click "OK"
4) Click once on the "Go to this address" box. Be careful not to drag it anywhere.
5) Hit Open-Apple T to bring up the Font window.
6) Change it to something basic, like Courier which is a fixed width font and fairly basic.
7) Save
8) Enjoy!

Here's an example I posted on another message board http://www.broadbandreports.com/forum/remark,12608658~mode=flat#12608833

attica:

Your risk (unless you carelessly respond to requests for information) is somewhere between very small and nil. Taking arcane instructions from unknown sources to 'fix' this 'problem' is, IMHO, not worth the risk. Modifying your browser exposes you to far worse problems.

Barry

I believe this is quite a big threat...I used Safari 1.2.4 and Firefox on the links Attica posted, and both were vunerable.

This article mentions to always manually type Web address directly into a browser rather than clicking on a link sent via e-mail or even copying and pasting that link.

This is from a Yahoo article here: http://story.news.yahoo.com/news?tmpl=story&cid=562&e=2&u=/ap/webbrowserflaw

Unlike Safari, Firefox allows you to disable IDN support easily and close this vulnerability.

In Firefox, type "about:config" in the browser URL field. Then scroll down to "network.enableIDN", right-click "value", choose 'toggle' to make it false.

Dave

Dave: Thank you. this will work very well for me, since I am extremely unlikely to want to access websites in non-roman characters

Be aware that the work around described for Firefox does not stick. You must re-do every time you launch Firefox.

Also be aware that this is NOT a flaw in Safari or Firefox. This problem is caused by the IDN specification itself. Safari has implemented the spec correctly. The flaw is in the IDN rules.

Be aware that the reason this exploit doesn't work in Internet Explorer is because IE doesn't even support IDN, not because IE is somehow correctly implements the spec.

And finally, as an earlier poster stated, you're own vulnerability is low or nil. Proof of concept does not a problem make. We've been through this before with the "First OSX Trojan Horse" scare and very other scare so far. A proof of concept surfaces, the chicken-littles scream holy murder, nothing ever comes of it. Apple eventually releases a security update. Repeat same with next proof of concept to appear.

Could it happen? Yes. Will it, in fact, happen? Based on previous announced exploits, probably not. Best advice? Just be aware of where you are on the internet and pay attention to what you are doing.

What will we give up (besides susceptibility to this proof of concept threat) when IDN support is removed/patched on our browsers? Or to state it another way, what is the benefit of the IDN standard in the first place? Thanks.

Steve M.

Well, we'll just have to agree to disagree I guess. When the hoopla started over the OS X trojan proof of concept I believe you were one of the most strident predictors of doom, along with *Sailfish. Any attempts to quell people's fears by pointing out the actual, real threat, was not that high were shouted down. And guess what, nothing ever came of the exploit.

I expect to be shouted down again but I still maintain that people can be made aware of a problem without what amounts to fear-mongering from self-described "paranoid freaks".

Actually, it's because the plugins aren't installed by default.

There's no IDN plugin for IE for the Mac, is there?

The point of IDN is of course to let people whose native language uses a script other than simple Latin to register domain names in those scripts. The addition of many thousands of possible characters that can appear in urls greatly multiplies the possibility for mistaken identity, either accidental or on purpose. This can already happen with Latin, because different characters can look the same in various fonts, but it is much more limited.

Restricting IDN will limit access to the newly possible urls.

Rules were developed to reduce the potential problems, but I gather they are not being well followed:

http://www.icann.org/general/idn-guidelines-20jun03.htm