By ANICK JESDANUN, AP Internet Writer
NEW YORK - An Internet browser feature meant to permit Web addresses
in Chinese, Arabic and other languages could encourage online
fraudsters by making scam Web sites look legitimate to visitors.
For once, the affected browser is not the industry-leading Internet
Explorer from Microsoft Corp. but rather several of its more robust
competitors.
That's because the aging IE lacks support for internationalized domain
names; at least without a plug-in, which would then make IE
vulnerable.
"It's kind of ironic that it affects some of the supposedly safer
browsers," said Neel Mehta, a research engineer at the Internet
Security Systems Inc.
A fix won't be easy because the vulnerability, publicized at a weekend
hacker conference, that enables so-called "phishing" scams involves a
feature, not a coding error.
Engineers at the Mozilla Foundation, developer of the No. 2. Firefox
browser, said they were reviewing options and should have more to say
within a few days.
The maker of the Opera browser said in a statement that although a fix
is possible, "it's extremely hard to find a balance between making the
fix too comprehensive or too limited. Even though you limit yourself
you can create problems for valid domains."
Officially, the Internet's Domain Name System supports only 37
characters; the 26 letters, 10 numerals and a hyphen.
But in recent years, in response to a growing Internet population
worldwide, engineers have been working on ways to trick the system
into understanding other languages.
Engineers have rallied around a character system called Unicode. The
newly discovered exploit takes advantage of the fact that characters
that look alike can have two separate codes in Unicode and thus appear
to the computer as different. For example, Unicode for "a" is 97 under
the Latin alphabet, but 1072 in Cyrillic.
Subbing one for the other can allow a scammer to register a domain
name that looks to the human as "paypal.com," tricking users into
giving passwords and other sensitive information at what looks like a
legitimate site.
Some browsers, including Firefox, let users deactivate the other
character sets but doing so is complicated and would cut off access to
the relatively few sites that use non-English characters in their
addresses.
A better solution is to always manually type Web address directly into
a browser rather than clicking on a link sent via e-mail or even
copying and pasting that link.
The potential for the vulnerability has been known for awhile, but it
has only recently gained the attention of security experts as
non-English domain names become a reality.
Eric Johanson, an independent security consultant in Seattle,
publicized it on Sunday, saying he wanted to pressure vendors to act.
Dan Hubbard, director of security at Websense Inc., which monitors
phishing scams, said he knew of no e-mails circulating on the Internet
that take advantage of the vulnerability, but he expects scammers to
start using it soon to target non-IE browsers.
Hubbard said plenty of flaws already exist with IE because users don't
keep up with security updates.
"Attackers will check to see what browser you're using and then use
vulnerability A if it's Internet Explorer and B if it's Mozilla
Firefox," Hubbard said.
But Johannes Ullrich, chief technology office with the SANS
Institute's Internet Storm Center, said scammers may focus on
exploiting other flaws because IE remains dominant.
"Right now the one thing that will likely prevent them from using it
is that Internet Explorer users will not be able to see the page at
all," he said.
NOTE: For more telecom/internet/networking/computer news from the daily
media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra . New articles daily.
*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish
to use this copyrighted material for purposes of your own that go
beyond 'fair use,' you must obtain permission from the copyright
owner. in this instance, Associated Press.
For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml