Starting with January 2005, the BugBlog will pick its Bug
of the Month,
representing the most significant bug found in the past month. Sometimes, the bug will be the one which could potentially cause the most damage; sometimes it will be the bug which affects the most users. And sometimes, it will be the bug that is just the most interesting bug. This bug will be selected either from the free Bug of the Day, or from the subscription-only BugBlog Plus.
The Bug of the Month for March 2005 was posted as the Bug of the
Day on February 9.
“Browsers that support IDN (International Domain Name)
are susceptible to a spoofing attack where your address bar will show
that you are at a particular site, such as your bank, while the content
shown in the browser window is from some other site, such as an identity
thief. Browsers that are susceptible include Mozilla, Firefox, OmniWeb,
Opera, Konqueror (and other KDE browsers), Netscape, and Apple Safari.
One browser that isn’t affected is Microsoft Internet Explorer, because
it doesn’t support IDN. However, there is a plug-in that adds the support,
and also the vulnerability. The Secunia security researchers have a test
to see if your browser is vulnerable, which you can see at http://secunia.com/multiple_browsers_idn_spoofing_test/.
As fix information becomes available, it will be listed individually
for each of the browsers.”
Why this one? First, it is a cross-company bug, affecting all browsers
that implement IDNs. The reason for this, as became clear, was due to
a weakness in the implementation of IDNs. Given the fact that it can
trick a user into giving sensitive information to a fake site, the bug
could also have some financially severe consequences.
There have already been fixes for the Konqueror browser, at least in
the Red Hat version, that were listed in the BugBlog Plus on 2/14. The
Mozilla Organization announced a “fix” on 2/17. The fix was to remove
support for IDN. After a certain amount of user outcry, they changed
course on 2/21 and said that IDN would be displayed as puny code, which
would show the spoofing possibilities.