multiple Web browsers IDN URL spoofing

multiple-browsers-idn-spoof (19236) The risk level is classified as MediumMedium Risk

Description:

Safari Web browser could allow a remote attacker to spoof the URL in the address bar, the SSL (Secure Socket Layer) certificate, and the status bar, caused by a vulnerability in the IDN (International Domain Name). A remote attacker could register various domain names with specific international characters that closely identify with various commonly used characters to spoof the URL and disguise the Web site as being legitimate.

Note:Other Web browsers vulnerable include: Safari, Firefox, Camino, Mozilla, Opera, Netscape, Konqueror, OmniWeb, I-Nav Plug-In and Epiphany.


Consequences:

Data Manipulation

Remedy:

For Gentoo Linux:
Upgrade to the latest version of Mozilla (1.7.6 or later), as listed in GLSA 200503-30. See References.

For Gentoo Linux (Firefox):
Refer to Gentoo Linux Security Announcement GLSA 2005-03-10 for patch, upgrade, or suggested workaround information. See References.

For SUSE Linux:
Upgrade to the latest Opera listed below. Refer to SUSE Security Announcement SUSE-SA:2005:031 for more information. See References.

x86 Platform:
SUSE Linux 8.2: 8.0-4 or later

x86 and x86-64 Platforms:
SUSE Linux 9.3, 9.2, 9.1 and 9.0: 8.0-1.1 or later

For Red Hat Linux (konqueror):
Refer to RHSA-2005:325-07 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux (Firefox):
Refer to RHSA-2005:176-11 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux (Mozilla):
Refer to RHSA-2005:384-11 for patch, upgrade, or suggested workaround information. See References.

For Ubuntu Linux:
Refer to USN-149-3, USN-155-2 and USN-155-3 for patch, upgrade, or suggested workaround information. See References.

For SUSE Linux:
Refer to SUSE Security Announcement SUSE-SA:2005:016 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

  • CIAC INFORMATION BULLETIN P-149: Firefox Security Update.
  • CIAC INFORMATION BULLETIN P-156: Apple Security Update 2005-003.
  • CIAC INFORMATION BULLETIN P-159: kdelibs Security Update.
  • BID-12461: Multiple Web Browser International Domain Name Handling Site Property Spoofing Vulnerabilities
  • BID-12470: Multiple Mozilla Browser enable.IDN Setting Weakness
  • CVE-2005-0233: The International Domain Name (IDN) support in Firefox 1.0, Camino .8.5, and Mozilla before 1.7.6 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks.
  • CVE-2005-0234: The International Domain Name (IDN) support in Safari 1.2.5 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks.
  • CVE-2005-0235: The International Domain Name (IDN) support in Opera 7.54 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks.
  • CVE-2005-0236: The International Domain Name (IDN) support in Omniweb 5 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks.
  • CVE-2005-0237: The International Domain Name (IDN) support in Konqueror 3.2.1 on KDE 3.2.1 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks.
  • CVE-2005-0238: The International Domain Name (IDN) support in Epiphany allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks.
  • CVE-2005-4678: Apple Safari 2.0.2 (aka 416.12) allows remote attackers to spoof the URL in the status bar via the title in an image in a link to a trusted site within a form to the malicious site. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
  • GLSA-200503-10: Mozilla Firefox: Various vulnerabilities
  • GLSA-200503-30: Mozilla Suite: Multiple vulnerabilities
  • MDKSA-2005:058: Updated kdelibs packages fix multiple vulnerabilities
  • OSVDB ID: 20957: Apple Safari Image Control Title Attribute Status Bar Spoofing
  • OSVDB ID: 61029: Omniweb International Domain Name (IDN) Punycode Encoded Domain Name Spoofing
  • OSVDB ID: 61030: Opera International Domain Name (IDN) Punycode Encoded Domain Name Spoofing
  • OSVDB ID: 61031: Apple Safari International Domain Name (IDN) Punycode Encoded Domain Name Spoofing
  • OSVDB ID: 61032: Epiphany International Domain Name (IDN) Punycode Encoded Domain Name Spoofing
  • RHSA-2005-176: firefox security update
  • RHSA-2005-325: kdelibs security update
  • RHSA-2005-384: Mozilla security update
  • SA14162: KDE Applications IDN Spoofing Security Issue
  • SA17618: Safari Image Control Status Bar Spoofing Weakness
  • SUSE-SA:2005:016: Mozilla Firefox: remote code execution
  • SUSE-SA:2005:022: kdelibs3: various KDE security problems
  • SUSE-SA:2005:031: Opera: various problems
  • US-CERT VU#273262: Multiple web browsers vulnerable to spoofing via Internationalized Domain Name support
  • USN-149-3: Ubuntu 4.10 update for Firefox vulnerabilities

Platforms Affected:

  • Apple Safari 1.2.5
  • Canonical Ubuntu 4.10
  • Canonical Ubuntu 5.04
  • Gentoo Linux
  • GNOME Epiphany
  • KDE Konqueror 3.2.2
  • MandrakeSoft Mandrake Linux 10.0 AMD64
  • MandrakeSoft Mandrake Linux 10.0
  • MandrakeSoft Mandrake Linux 10.1 X86_64
  • MandrakeSoft Mandrake Linux 10.1
  • MandrakeSoft Mandrake Linux Corporate Server 3.0 X86_64
  • MandrakeSoft Mandrake Linux Corporate Server 3.0
  • Mozilla Firefox 1.0
  • Mozilla Mozilla 1.6
  • Netscape Navigator 7.2
  • Novell Linux Desktop 9
  • Omni Group OmniWeb 5.1
  • Opera Opera Browser 7.54u1
  • Opera Opera Browser 7.54u2
  • RedHat Enterprise Linux 2.1 ES
  • RedHat Enterprise Linux 2.1 WS
  • RedHat Enterprise Linux 2.1 AS
  • RedHat Enterprise Linux 3 AS
  • RedHat Enterprise Linux 3 Desktop
  • RedHat Enterprise Linux 3 WS
  • RedHat Enterprise Linux 3 ES
  • RedHat Enterprise Linux 4 AS
  • RedHat Enterprise Linux 4 Desktop
  • RedHat Enterprise Linux 4 ES
  • RedHat Enterprise Linux 4 WS
  • RedHat Linux Advanced Workstation 2.1 Itanium
  • SuSE Linux Enterprise Server 9
  • SUSE SuSE Linux 8.2
  • SUSE SuSE Linux 9.0
  • SUSE SuSE Linux 9.1
  • SUSE SuSE Linux 9.2
  • SUSE SuSE Linux 9.3
  • VeriSign I-Nav Plug-In 2005-02-09

Reported:

Feb 07, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page