Multiple web browsers vulnerable to spoofing via Internationalized Domain Name support

Overview

Multiple web browsers are vulnerable to spoofing attacks through the use of Internationalized Domain Names. Other applications such as email programs may also be vulnerable.

Description

The Domain Name System

The Domain Name System (DNS) provides name, address, and other information about Internet Protocol (IP) networks and devices. DNS was designed to support domain names that use a subset of the American Standard Code for Information Interchange (ASCII) character set.

Unicode

The Unicode character set contains more than 96,000 characters. Because of this, Unicode can be used to represent a wide range of languages.

Internationalized Domain Names

Internationalizing Domain Names in Applications (IDNA) is a mechanism for translating Unicode domain names into an ASCII representation that is supported by the existing DNS infrastructure. The encoding syntax used by IDNA is called Punycode (RFC 3492). A web browser that supports Internationalized Domain Names (IDN) can visit web sites that contain Unicode characters in the domain name. The request that is sent to the DNS server is encoded as Punycode, but the domain name displayed to the user is in Unicode format. Most modern web browsers support IDN. Microsoft Internet Explorer can support IDN through use of the VeriSign i-Nav plug-in.

The Problem

Many Unicode characters have a similar appearance to ASCII characters. By using a domain name that contains Unicode characters, a web site operator could make it appear that the content from his or her web site actually originated from another site. The text displayed in the browser’s address bar or status bar could be deceptive if the domain name contains Unicode characters. Other programs where the user is making a trust decision based on the appearance of a domain name may also be affected. IDNA is not limited to web browsers.

---

Impact

By making a malicious web site appear to be a site that the user trusts, an attacker could convince the user to provide sensitive information.

---

Solution

Upgrade or Patch
For vendor-specific information regarding vulnerable status and patch availability, please see the Systems Affected section of this document.

---

Do not follow unsolicited links

Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.

Check Certificates

US-CERT recommends that prior to providing any sensitive information over a secure (HTTPS) connection, you check the name recorded in the certificate to be sure that it matches the name of the site to which you think you are connecting.

---

Vendor Information

273262

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Apple Computer Inc. __ Affected

Notified: February 18, 2005 Updated: March 22, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

This issue is addressed by Apple Security Update 2005-003.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23273262 Feedback>).

KDE Desktop Environment Project __ Affected

Notified: February 18, 2005 Updated: March 17, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see <http://www.kde.org/info/security/advisory-20050316-2.txt&gt;.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23273262 Feedback>).

Mozilla __ Affected

Notified: February 18, 2005 Updated: March 01, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Mozilla Firefox 1.0.1 displays Internationalized Domain Names in punycode. This can help protect against spoofing.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23273262 Feedback>).

Opera Software __ Affected

Notified: February 18, 2005 Updated: February 18, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23273262 Feedback>).

Red Hat Software, Inc. __ Affected

Updated: August 01, 2005

Status

Affected

Vendor Statement

In Red Hat Enterprise Linux 2.1 and 3 this issue affected the Mozilla
browser. New mozilla packages along with our advisory are available at
the URL below and by using the Red Hat Network ‘up2date’ tool.

<http://rhn.redhat.com/errata/RHSA-2005-384.html&gt;

In Red Hat Enterprise Linux 4 this issue affected the Firefox and
Konqeuror browsers. New kdelibs and firefox packages along with our
advisory are available at the URLs below and by using the Red Hat Network
‘up2date’ tool.

<http://rhn.redhat.com/errata/RHSA-2005-176.html&gt;
<http://rhn.redhat.com/errata/RHSA-2005-325.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Verisign __ Affected

Notified: February 18, 2005 Updated: February 18, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Verisign provides a plug-in for Internet Explorer that provides IDN support.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23273262 Feedback>).

Microsoft Corporation __ Unknown

Notified: February 18, 2005 Updated: February 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Internet Explorer does not support IDN natively, but a plug-in is available from Verisign.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23273262 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.cs.technion.ac.il/~gabr/papers/homograph.html&gt;
• <http://www.apps.ietf.org/rfc/rfc3490.html&gt;
• <http://www.apps.ietf.org/rfc/rfc3492.html&gt;
• <http://www.icann.org/committees/idn/idn-codepoint-paper.htm&gt;
• <http://www.icann.org/topics/idn.html&gt;
• <http://www.nic.ac/idnfaq.html&gt;
• <http://unicode.org/reports/tr36/#international_domain_names&gt;
• <http://www.shmoo.com/idn/&gt;
• <http://secunia.com/multiple_browsers_idn_spoofing_test/&gt;
• <http://www.osvdb.org/displayvuln.php?osvdb_id=13578&gt;
• <https://bugzilla.mozilla.org/show_bug.cgi?id=279099&gt;
• <http://www.kde.org/info/security/advisory-20050316-2.txt&gt;
• <http://docs.info.apple.com/article.html?artnum=301061&gt;

Acknowledgements

This vulnerability was publicly disclosed by Evgeniy Gabrilovich and Alex Gontmakher.

This document was written by Will Dormann.

Other Information

CVE IDs:	CVE-2005-0234
Severity Metric:	2.36 Date Public: