...by Graf!
 Web Design, Internet, Systems Consulting
 
SOFTWARE TROUBLESHOOTING TIPS AND TRICKS

Table of Contents
 
------




@
 Microsoft Internet Explorer and Download Spoof
(Added 01/30/2004)

Scenario: When clicking on a link and selecting the "Open" option, Microsoft Internet Explorer (MSIE) purports to be downloading a file, when in fact it runs an HTML executable file.

Pre-condition: Any version of MSIE is used to access the Web Site hosting the link in question.

Solution: This spoof was first discovered three years ago and reported to Microsoft in April 2001. Microsoft purportedly fixed this flaw, but subsequently reintroduced it into MSIE. It works on the premise that the user selects "Open" instead of the "Save to disk" option. The link in question contains an embedded Class ID string (CLSID) as part of the file name. CLSID strings are an integral part of the Component Object Model (COM) objects used by Microsoft for building applications on the Internet, and this can make any file type appear as "trusted" to both Browser and Operating System.

When triggered, this flaw has the potential to be used by an individual with malicious intent, to introduce a worm or virus into the victim's computer without their knowledge. The potential for an infiltration is all the more accute if its implications are considered alongside another flaw which permits URL Spoofing in MSIE.

In order not to fall victim to this spoof, the best solution is to always save downloaded files to disk first, and examining the resulting file prior to executing it. It is also prudent to harden the Security settings within MSIE, by either disabling or forcing prompts for all downloadable and executable files and controls in the Browser's Advanced Security settings. Hardening the MSIE in this manner will not eliminate the problem, but rather add a small layer of additional protection. Additionally, if the "Install On Demand" exists in the installed version of MSIE's Internet Options | Advanced, it should be deactivated as well.
<-Table of Contents
------

@
 Microsoft Internet Explorer and Spoofed URL's
(Added 01/29/2004, Updated 07/16/2004)

Scenario: Accessing a Web Site with any version of Microsoft's Internet Explorer (MSIE) by way of a link embedded in an email message, document or other rich text file gives outward indications that the Site was reached, yet the Web Browser was hijacked to a different URL (spoofing).

Pre-condition: A version of Microsoft Internet Explorer prior to version 6.0.2800.1106 is used for accessing the URL in question.

Solution: There is a known flaw in all versions of MSIE that predate version 6.0 (with Service Pack 1) which makes this kind of spoofing possible. It permits the hijacking of the Web Browser for potentially malicious purposes, such as to take advantages of other flaws in the Browser or the version of the underlying Operating System.

The spoof works by way of a link that is intentionally crafted to give the appearance of accessing a Web Page on one domain, while in actuality loading a Web Page located in a completely different location. This is done by inserting a non-printing character into the physical URL represented by the link.

To illustrate the flaw, click on each of the two buttons and pay close attention to the content of the address bar. The first will load a specially prepared demonstration page in the normal manner, while the second loads the same page utilizing the flaw described in this article. Note: The second page will not load with the updated version of MSIE, as identified above)


Because the originator of the spoof is able to hide the real URL, the most expedient solution is to never click on links that appear in emails or documents from unknown sources. Instead, the URL should be selected and copied (<Ctrl>+C) and pasted (<Ctrl>+V) into the Web Browser's location bar. Although this may be tedious, it is the safest solution in the long run.

If in doubt about the legitimacy of a Web Page location, it's also possible to determine the actual URL by executing the following JavaScript applet from the Browser's location bar (Please note that use of this applet on some types of Web Site, such as on e-commerce Sites, may cause the current session to be lost —for example the contents of an online shopping cart):
javascript:alert('Displayed URL:\t' + location.protocol + '//' + location.hostname + '/' + '\nActual URL:\t' + location.href + '\n\nIf the server names do not match, this may be a spoof.');
See also: Microsoft Knowledge Base Article #833786

Update: MSIE version 6.0.2800.1106 corrects this flaw. To verify the version of MSIE in use, click Help | About and check the version information in the resulting dialog. The patched browser should report the above version number in the first line of version data. The fourth line should include SP1 in the Update Versions list.
<-Table of Contents
------

@
 Norton Internet Security 2002 and Web Forms
(Added 01/18/2004)

Scenario: While attempting to complete a Web Form, the hosting Web Server returns an error (usually related to a missing referrer) which prevents the transaction from completing. The cause lies in the firewall's blocking of referential data which is required to prevent misuse of the Web Form.

Pre-condition: You are running Symantec's Norton Internet Security 2002 software Firewall with the "Enable Privacy" option enabled and set to the default level.

Solution: The following procedure will not only correct the problem, but also configures the Firewall to provide a stronger security model without compromising your system's security:
  1. Start the Norton Internet Security client.
  2. Scroll down to Privacy Control
  3. Verify that Enable Privacy check box is ticked
  4. Click on Custom Level. A new dialog will open.
  5. Set Confidential Information to "Medium: Prompt me each time".
  6. Set Cookie Blocking to "None: Allow Cookies (recommended)".
  7. Remove the tick from the Enable Browser Privacy check box to disable the option.
    — This is the setting causing the problem.
  8. Make sure that the Enable Secure Connections (https) check box is ticked.
This solution may also work with more recent versions of Norton Internet Security.
<-Table of Contents
------



------
Copyright, ©1996-2005, ...by Graf!