I'd like to share with the Realsecure users the following support thread: 8/11/04 Subject: 1404592 - XPU 22.25 - Email_Outlook_URL_Spoof - clarification needed
I have attempted to verify this signature, but under MS Outlook 2000, MS Outlook Express 5.0 & 6.0, and Kmail 1.5 the stated issue does not occur. I tested with the following email (MS Outlook Express was only tested with the first 3 links) <html><body> <a href =" http://us.rd.yahoo.com/mail_us/taglines/aac/*http://promotions.yahoo.com/new_mail/static/ease.html ">bad link 1</a> <a href =" http://drs.yahoo.com/example.com/NEWS/*http://slashdot.org/#http://drs.yahoo.com/www.example.com/NEWS ">bad link 2</a> <a href =" http://drs.yahoo.com/www.example.com/NEWS/*http://www.security-warning.biz/personal6/maljo24/www.YAHOO.com/#http://drs.yahoo.com/mail.tju.edu/NEWS ">bad link 3</a> <a href="http://rd.yahoo.com/*http://nd1.2828.to";>bad link 4</a> </body></html> All of the mail clients displayed the url after the asterisk. eg for MS Outlook 2000 (See attached file: status_bar.png)(See attached file: version.png) Can you please provide either an example of a link that causes the issue, or state which mail client is susceptible. 10/11/2004 - Response from ISS to the above: Hello Oliver, This vulnerability is for Outlook 2000. However, the signature should fire only when the email containing the spoofed links gets analyzed by the sensor. If you craft the email with the links and then click on them, the sensor would not trigger this event. As far as the URLs still showing what is after the *, I will do some research as to they are still visible. Everything I've read on the subject suggests that we shouldn't be able to see the "hidden" portion of the URL. 15/11/2004 - sent email to ISS Can you please let me know what you have discovered from your testing. 16/11/2004 - reply from ISS Hello Oliver, I have continued testing this exploit, and currently cannot get it to hide the url after the *. Although, it should be noted that during the various ways that I have been crafting the emails, when I try to save the file my McAfee Anti-Virus discovers it and will not let me save, due to that exploit. I have to disable my AV in order to try to test this. I am trying to find out if this has been fixed by Microsoft, but information on this particular exploit seems to be scarce. Thanks, Charles Bennett Technical Support Analyst 22/11/04 - email to iss Can you please let me know what you have discovered from your testing. 24/11/04 Hello Oliver, The Email_Outlook_URL_Spoof signature is still a valid signature. It will fire when it detects a URL with an * in it. However, I have not been able to reproduce the spoofing using my email programs. It is possible that this was corrected with a hotfix at some point. The signature, however, still functions normally. If you would like a bit more info about this, here is a link: http://lists.sans.org/pipermail/list/2003-December/045129.html Thanks, Charles Bennett Technical Support Analyst reply to ISS I have repeated the test URLs with a completely unpatched Win2k, and the full urls were still displayed, hence this is not related to any hotfixes. The link you have provided talks about URL spoofing, but it does not related to URL spoofing via the "*", which is what the signature is concerned about. I disagree that the signature is still valid. The signature is only valid if there is in fact a URL spoofing scenario involving use of the "*". So far it appears that we have no first hand proof that the vulnerability actually exists, all we have is the email linked to from the help for the signature - http://archives.neohapsis.com/archives/bugtraq/2004-05/0094.html Can you please provide at least one actual case in which this URL spoofing scenario occurs. Otherwise can you please have the signature removed in the the next XPU. 1/12/04 - reply from iss Hello Oliver, This signature fires when the sensor detects a URL with a "*" in it. I can understand what you mean about it appearing to be an invalid signature due to not being able to reproduce the vulnerability itself. This vulnerability has been documented in the past, and in the interest of security, the signature was created. As stated before, the signature looks for URLs with an "*" only, and has no way of knowing if an email client is able to see what is after the * or not. As such, the signature is technically still valid. If this signature is firing and you only see false positives (an example would be web traffic to yahoo.com or hotmail; they use * to redirect sometimes), you can tune the policy on the sensor or turn the signature off completely if you feel that the vulnerability poses not threat to you. Thanks, Charles Bennett Technical Support Analyst 1/12/04 - email to iss Can you please provide the name and version of the email clients that are discussed by the documentation you refer to. 3/12/04 - reply from iss Hello Oliver, You can see which email clients and on what platforms are vulnerable to this at the following link: http://www.securityfocus.com/bid/10324/info/ Thank you, David Hannum Technical Support Analyst 3/12/04 - reply to iss This is starting to go in a loop. I've already stated that I've tested several of the versions reported to be vulnerable, and the support analyst I was dealing with also could not reproduce the behaviour. Reading the "discussion" tab of the link you sent, the wording ("It has been reported", "It is said") suggests that the vulnerability has not been confirmed, and the entry is in the securityfocus database is purely on the say so of who ever made the claim. If ISS has confirmed this vulnerability, can you please state which products and versions were verified to have the vulnerability. 8/12/04 - reply from iss - the confession Hello Oliver, I have looked further into this issue and could not determine that ISS has officially confirmed this vulnerability. This signature was implemented as a security measure, in order to protect against a possible threat. Please submit an Enhancement Request to our Product Management Team via the following link if you would like for X-Force to remove the signature from the next XPU: https://www.iss.net/issEn/MYISS/enhancementRequest.jhtml As there is nothing more that Technical Support can provide on this incident, it will be set to closed. Thank you, Charles Bennett Technical Support Analyst I have subitted the request to have the signature removed. Oliver _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
