Using a vulnerability in Microsoft Internet Explorer, Outlook Express, and many other web and mail clients, an attacker can construct a fraudulent web page or email message that controls the display of URLs in the status bar and the web-browser address bar. This can be used to trick end-users into divulging sensitive information or downloading malicious content.
Example: "http://www.bad_site.com" could be displayed as "http://www.good_site.com"
Since this problem was first reported in December 2003, a number of new variants have been discovered. Although some variants only affect specific browser versions, a VISA email fraud has been detected that affects most browsers and email clients. This advisory now protects against all known variants of the vulnerability.
Recommendations:
Enter the following code into the Local Policy File. This code works by inserting client-side javascript into each HTML page served by the ProxySG. The javascript code detects if the page was reached using a spoofed url.
define javascript Protect_IE
prolog <<XXX
if (location.protocol != "ftp:" && location.href.match(/^[a-zA-Z]+\:\/\/[^@/]*@/)) {
var real_url = location.protocol + "//" + location.host + location.pathname + location.search + location.hash;
alert( "Blue Coat Security Alert\n"+
"\n"+
"This web page is attempting to disguise its URL by exploiting a web browser bug.\n"+
"(Look at the URL in the Address bar.)\n"+
"The real URL is:\n"+
"\n"+
real_url );
}
XXX
end
define action Protect_IE
transform Protect_IE
end
<proxy>
action.Protect_IE(yes)
In addition, if you do *not* have the popup ad blocker installed, then you should add the following additional code to the Local Policy File. (If you subsequently enable the popup ad blocker using the VPM, then you should then *remove* this code.) Javascript insertion does not work if the page is compressed. The following code prevents web servers from serving compressed content to the ProxySG.
define action ForceUncompressedResponse
delete(request.header.Accept-Encoding)
end
<Cache>
action.ForceUncompressedResponse(yes)
If you do not have the popup ad blocker activated, this policy will increase the CPU usage of the ProxySG. If you already have the popup ad blocker activated, your CPU usage should remain the same.
If a spoofed page was already in your web browser cache before you installed the above policy, then the web browser will not refetch the page from the ProxySG, and the javascript will not be inserted. As a result, the policy code given above will appear not to work. The solution is to clear your browser cache before testing spoofed urls.
Additional Information:
http://www.securityfocus.com/archive/1/346948
http://zdnet.com.com/2100-1105_2-5119440.html
