Your IT Consultant

Holy Crap Batman! Our Browser is Vulnerable

April 19, 2017

Another way for the bad guys to screw with us. Users of the Chrome, Firefox and Opera browsers are vulnerable to Unicode phishing attacks. For those not familiar with Unicode, you can read the Wikipedia entry here, but basically it is a 16-bit code to determine each character. The English language doesn't need Unicode, but the Chinese language does. Unicode support in application software has only been supported over the last several years. In fact, many vendors tout Unicode support as the great differentiator. We digress.

We thought the vulnerability was fixed over ten years ago, but apparently not. One of the latest browser vulnerabilities is not properly handling Unicode URLs. It's pretty scary. You can try it for yourself by clicking here. (Don't worry. Nothing bad will happen.) If the displayed URL shows Apple.com then your browser doesn't know how to properly decode the URL. Essentially, the URL is completely valid and is crafted in a non-English language to look exactly the same as common English words. As an example, the previous test URL is really xn--80ak6aa92e.com and not apple.com. The browser is vulnerable to what is known as an internationalized domain name (IDN) homograph attack. Graham Cluley has a post that explains the attack in much more detail.

At the present time, Chrome, Firefox and Opera browsers are impacted. Fixes for Chrome are planned for the end of the month. If you use Firefox, enter about:config and set the network.IDN_show_punycode to true.

E-mail: Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology
http://www.linkedin.com/in/johnsimek
https://amazon.com/author/johnsimek
https://www.senseient.com