Microsoft Internet Explorer IDN authentication dialog spoofing

ie-idn-authentication-spoofing (34867) The risk level is classified as LowLow Risk

Description:

Microsoft Internet Explorer could allow a remote attacker to spoof the URL in authentication dialogues, caused by an error in the International Domain Name (IDN) implementation. By persuading a victim to visit a specially-crafted Web page, a remote attacker could exploit this vulnerability to spoof authentication dialogs and possibly perform phishing attacks.

Platforms Affected:

  • Microsoft, Internet Explorer 7

Remedy:

No remedy available as of July 4, 2009.

Consequences:

Bypass Security

References:

  • ha.ckers Web site, Internet Explorer Cross Domain Basic Auth Phishing Tactics at http://ha.ckers.org/blog/20070608/cross-domain-basic-auth-phishing-tactics/.
  • Microsoft Corporation Web site, Microsoft Corporation at http://www.microsoft.com/en/us/default.aspx.
  • BID-24483: Microsoft Internet Explorer 7 HTTP Authentication International Domain Name Spoofing Weakness
  • CVE-2007-3164: Microsoft Internet Explorer 7, when prompting for HTTP Basic Authentication for an IDN web site, uses ACE labels for the domain name in the status bar, but uses internationalized labels for this name in the authentication dialog, which might allow remote attackers to perform phishing attacks if the user misinterprets confusable characters in the internationalized labels, as demonstrated by displaying xn--theshmogroup-bgk.com only in the status bar.
  • SA25663: Microsoft Internet Explorer 7 HTTP Basic Authentication IDN Spoofing

Reported:

Jun 08, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page