Phishing Emails Exploit Browser Weaknesses

Written by Carl E. Reid on October 7, 2008

Most web browsers are supposed to protect people by implementing security zones. These safe zones use different security settings of a web browser, which can vary based on the location of the web page being viewed. Phishing emails can lure users to a malicious code web site.  These sites attempt to install spyware, malware or both onto the unknowing person’s computer. These web sites rely on weaknesses in web browsers, which will allow installation and execution of harmful programs on a computer.  These web browser vulnerabilities allow overriding settings, even when these sites are located in a security zone that is not trusted and normally would not allow those actions.

Here are a couple of weak spots, as identified by the CERT Coordination Center:

1. Outlook Express HTML protocol handler does not properly validate location of alternate data
This is a cross-domain vulnerability where a specifically formatted URL invoking the InfoTech Storage (ITS)2 format protocol handlers could cause Internet Explorer to load an HTML document located within a Microsoft HTML Help (CHM) file. This HTML document would then be rendered in the Local Machine Zone. This HTML document could contain a script, ActiveX object, or IFRAME element to download and execute malicious code. We have observed this vulnerability used extensively in attempts to install malware.

2. Mozilla may execute JavaScript with elevated privileges when defined in site icon tag
This cross-domain vulnerability in the Mozilla suite of web browsers allows scripts within the LINK tag to run unprompted with the privilege of the user running the web browser. We have observed this vulnerability used in an attempt to install malware.

3. Cross-Site Scripting Attacks
Cross-site scripting (XSS) attacks can occur in programs on web sites that accept user input. If the program does not properly sanitize the input data, the vulnerable program may process input or even execute code that the original program was not intended to do.  For example, a phisher could construct a URL that uses a vulnerable program on a legitimate commerce site. This URL would also contain (probably obfuscated) code, such as JavaScript, that could target account credentials. There have been reports that this type of attack was used in a phishing scam against a bank.

A more common XSS attack that has been used in phishing involves the exploitation of vulnerable URL redirector programs. URL redirectors are often used by web sites to perform custom processing based on attributes such as web browser or authentication status or even just to display a message when clicking on a link to an external site. There have been multiple incidents of commerce sites using URL redirectors that allowed a user to input any external URL they wanted to. Thus phishers were able to send phishing emails with URLs that used the vulnerable redirectors on the legitimate sites to trick people into visiting phishing sites.

Liked this post? Share it!
  • Digg
  • StumbleUpon
  • del.icio.us
  • Slashdot
  • Technorati
  • Reddit
  • NewsVine
  • Facebook
  • Google
  • TwitThis
  • Mixx
  • Furl
  • Live
  • Ma.gnolia
Bookmark the permalink. Follow any comments here with the RSS feed for this post.

Related Posts

2 Responses to “Phishing Emails Exploit Browser Weaknesses”

  1. James Says:
    October 21st, 2008 at 1:53 am

    I believe the information you have posted is completely out-dated. Upon reading the two exploits you mentioned in particular the Mozilla exploit I was confused because I hadn’t heard of that one. I went to Cert, couldn’t find it. Did a search on eventually found it.
    The Mozilla vulnerability was published 04-19-2005.
    The Outlook vulnerability was published 04-05-2004.

    Please update your post so that readers will not be alarmed and think that the product they are using has these exploits. Thank you.

  2. Carl E. Reid Says:
    October 21st, 2008 at 5:33 pm

    James,

    Thank you for taking time out of your busy schedule to provide a comment. You are absolutely correct about the threat being dated. If we had more sharp administrators like yourself, security threats across the board would be minimized by 100%.

    In a perfect IT world every web browser installed will always be up to date. As administrators, most of us usually stay on top of updates on our computers. In large companies there is usually maintenance software that pushes software updates down to all computers on the network. In medium and small business, most administrators do not have the luxury of time or resources to insure web browsers are updated. So many users are left stranded with using old versions of web browsers and probably are not receiving appropriate security patches.

    As you mentioned that you were not aware of this threat, other administrators probably aren’t either. Although the information in the article is dated, the goal of publishing it was to trigger “due diligence” by administrators to insure their end user community has the latest versions of web browsers, along with appropriate security fixes.

Leave a Reply