If your schools are among the growing number to use one of many new alternatives to Microsoft’s Internet Explorer (IE) web browser–including Mozilla’s Firefox or Apple Computer’s Safari–then you should know about a newly discovered vulnerability that could make users of these programs susceptible to internet scams.

An internet browser feature meant to permit web addresses in Chinese, Arabic, and other languages could encourage online fraudsters by making so-called “phishing” scam web sites look legitimate to visitors. For once, the affected browser is not the industry-leading IE from Microsoft Corp., but rather several of its more robust competitors.

That’s because the aging IE lacks support for internationalized domain names–at least without a plug-in, which if installed would then make IE vulnerable.

“It’s kind of ironic that it affects some of the supposedly safer browsers,” said Neel Mehta, a research engineer for Internet Security Systems Inc.

A fix won’t be easy because the vulnerability, publicized at a hacker conference last weekend, involves a feature, not a coding error.

Engineers at the Mozilla Foundation, developer of the No. 2. Firefox browser, said they were reviewing options and should have more to say within a few days.

The maker of the Opera browser said in a statement that although a fix is possible, “it’s extremely hard to find a balance between making the fix too comprehensive or too limited. Even though you limit yourself, you can create problems for valid domains.”

Officially, the internet’s Domain Name System supports only 37 characters–the 26 letters, 10 numerals, and a hyphen.

But in recent years, in response to a growing internet population worldwide, engineers have been working on ways to trick the system into understanding other languages.

Engineers have rallied around a character system called Unicode. The newly discovered vulnerability–known as an “exploit” in computer-security circles–takes advantage of the fact that characters that look alike can have two separate codes in Unicode and thus appear to the computer as different. For example, Unicode for “a” is 97 under the Latin alphabet, but 1072 in Cyrillic.

Substituting one for the other can allow a scammer to register a domain name that looks to the human as “paypal.com,” tricking users into giving passwords and other sensitive information at what looks like a legitimate site.

Some browsers, including Firefox, let users deactivate the other character sets–but doing so is complicated and would cut off access to the relatively few sites that use non-English characters in their addresses.

A better solution is to always manually type the web address directly into a browser rather than clicking on a link sent via eMail or even copying and pasting that link.

The potential for the vulnerability has been known for awhile, but it has only recently gained the attention of security experts as non-English domain names become a reality.

Eric Johanson, an independent security consultant in Seattle, publicized the problem Feb. 6, saying he wanted to pressure vendors to act.

Dan Hubbard, director of security at Websense Inc., which monitors phishing scams, said he knew of no eMail messages circulating on the internet that take advantage of the vulnerability, but he expects scammers to start using it soon to target non-IE browsers.

Hubbard said plenty of flaws already exist with IE, because users don’t keep up with security updates.

“Attackers will check to see what browser you’re using and then use vulnerability A if it’s Internet Explorer and B if it’s Mozilla Firefox,” Hubbard said.

Related story:
  • Microsoft issues eight ‘critical’ fixes

    But Johannes Ullrich, chief technology office with the SANS Institute’s Internet Storm Center, said scammers might focus on exploiting other flaws because IE remains the dominant browser.

    “Right now, the one thing that will likely prevent [scammers] from using it is that Internet Explorer users will not be able to see the page at all,” he said.


    Mozilla Firefox



    Internet Security Systems Inc.

    Websense Inc.

    SANS Institute