A dangerous spoofing security hole has been found in every browser on the market — except one.
Mozilla, Firefox, Safari, Opera and Netscape all suffer from the “moderately critical” vulnerability that allows the spoofing of address bar URLs and SSL certificates, but, incredibly Microsoft Corp.’s Internet Explorer gets a clean bill of health.
Publicized by security company Secunia, the flaw affect the range of browsers using the open-source Geko browser kernel. Anyone using an affected browser would be able to visit spoofed websites without being aware of it, something that would aid any crime based on setting up bogus websites, such as phishing.
The flaw arises from the way the named browsers resolve web addresses that include international characters in International Domain Name (IDN) URLs. Russian researchers Evgeniy Gabrilovich and Alex Gontmakher first outlined the potential for such a spoofing issue in 2002, in what was then a theoretical paper, The Homograph Attack. Exploiting the hole could, they reasoned, allow them to register a “homographic” variant of www.microsoft.com that included Unicode/UTF-8-defined Russian characters similar to certain ASCII characters.
They speculated that some browsers would either resolve these characters in a garbled way or would, as has turned out to be the case, present them as if the registered domain was actually the real Microsoft.com. Users could also be fooled into believing the bogus site was protected by an SSL certificate when it wasn’t.
There is no patch for the vulnerability though users can at least test browsers for it on the Secunia website.