BleepingComputer: Internet Explorer bug lets a web site see what you type in the address box

Topic

New Reply

So you’re sitting on web site somesnoopingsite.com And you type something in the address bar. Say, “morbidity analysis of deprecated hamburgers.” You
[See the full post at: BleepingComputer: Internet Explorer bug lets a web site see what you type in the address box]

3 users thanked author for this post.

AJNorth, Elly, MrBrian

Reply | Quote

Replies

An attempt to get more W10 users off IE11 and onto Edge?
‘Feature not a bug’ springs to immediately mind.

If debian is good enough for NASA...

Reply | Quote

I wouldn’t put anything past them any more.

The BleepingComputer piece doesn’t specify, but it sounds like this would apply to IE on any version of Windows.

Drat — another reason to move away from IE. That’s too bad, because to me the way IE organizes Favorites is much simpler and easier to understand than Firefox’s way.

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

2 users thanked author for this post.

SueW, HiFlyer

Reply | Quote

‘Feature not a bug’ – exactement!

Reply | Quote

Not to put too fine a point on it, but… Personally, I have never trusted any browser to maintain proper isolation under such circumstances. Consequently, I always begin new activities with a blank page or tab, and I encourage others to do likewise.

1 user thanked author for this post.

Bill C.

Reply | Quote

From http://www.brokenbrowser.com/revealing-the-content-of-the-address-bar-ie/: “For example, right now all IE users can be turned into bots with the zombie script bug (which has been public and unpatched for months). If you don’t think it’s important, then imagine what black hats can do right now: they can stay in your browser even if you navigate to a different site, which gives them plenty of time to do ugly stuff like mining digital currencies while abusing of users CPUs.”

Reply | Quote

You would actually have to clear your browser history before typing anything new into Search or the Address Bar. I have the HotCleaner Click and Clean extension so I can do this if I so desire, or if Chrome starts to slow down.

-- rc primak

Reply | Quote

This sounds a bit like the issue highlighted in June, where Navistone was able harvesst data typed into website forms before the user hit Submit. The twit.tv discussion on the issue was posted in Code Red – Security alerts: https://www.askwoody.com/forums/topic/before-you-hit-submit-this-company-has-already-logged-your-personal-data/

Reply | Quote

Why would I want to type a search string into the address bar?

It’s possible to introduce, through a 3rd party open source add-on (Quero Toolbar), a separate search box. I’ve been using IE like this for years. It’s much better, IMO:

This is just another in a long line of good reasons not to repurpose an address box as a search box. Addresses and search terms are apples and oranges.

-Noel

2 users thanked author for this post.

AJNorth, Bill C.

Reply | Quote

Now I’m thinking of the mobile browsers for cell phones we use; Firefox also will let people search by using the address bar now and will remove the separate box in two months time. Now is the time to be looking for something else…

Reply | Quote

I don’t get it… as a website owner, hasn’t I always been able to see where my customers go, when they leave me? Through the webserver’s log system, I mean.

And I’m one of those using the address bar… like it a lot! 😛

Keeps IE header small and everything on one line….

1 user thanked author for this post.

Noel Carboni

Reply | Quote

“Condition one: Attackers can hide malicious HTML object tags in hacked sites or load it via ads…”

Keeping my ad blocker on!

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

1 user thanked author for this post.

SueW

Reply | Quote

People still use IE11 after all the holes that have been found?

There is a reason Microsoft decided to end it, instead of fixing it.

Windows 10 Pro 22H2

Reply | Quote

There are actually very few “holes” in IE once you’ve reconfigured the security settings to be tight. Thing is, Microsoft developed it to work in a utopian world where you don’t have malicious web sites trying to load malware or other nefarious things into your computer.

One nice thing that IE provides that few folks notice or take advantage of is the ability to DE-configure a lot of that promiscuity, so that it just won’t run things from the wild internet. There are literally pages upon pages of settings in IE that can allow you to lock many things down, and generally with few downsides! The nice thing about IE is that you can configure different settings for the Internet Zone and for your Trusted Sites zone, so conceivably you can add your bank or enterprise web site to your Trusted Sites zone and still have everything else from the wild internet locked down.

With the settings locked down I’ve used IE for decades without contracting any infections whatsoever. It’s a good browser because Microsoft actually HAS worked on browser security for quite a long time. Don’t forget, IE was the most used browser up to a few years ago.

With regard to this particular bug… With my settings I cannot be bitten by this bug. Instead, I only see:

Beyond that…

As poster “Jan K.” has stated, web sites have been able to track where you’ve been because browsers will happily disclose data about the last visited URL you’ve come from.

Not to mention the fact that what you type in the address or search boxes usually (with default settings in most browsers) is sent abroad keystroke by keystroke. How do you think the system makes suggestions about what you might want to search for while you’re typing? I de-configure that stuff too. It’s not hard to imagine someone intercepting those packets – they’re not encrypted.

I suggest these things:

1. Review the advanced settings your browser offers, strive to understand what they do, and deconfigure the ones that open you up to potential problems. The defaults are often too permissive because they give you access to the most glitz.

2. Consider adding some form of ad and tracking blocking/blacklisting such as uBlock Origin, firewall, or DNS proxy.

3. No matter what software you’ve chosen or what security layers you have in place it would be best to not get too comfortable thinking that what you type into any box of a web browser is private.

-Noel

7 users thanked author for this post.

SueW, Bill C., HiFlyer, Elly, DrBonzo, Cybertooth, wdburt1

Reply | Quote

By the way, from what I can see Microsoft Edge has removed a LOT of that essential configurability I mentioned. I only tested it briefly, so I don’t know whether the defaults are more restrictive than those of IE. I do know it doesn’t run ActiveX.

It figures that Microsoft would trim off the essential parts to dumb things down.

For what it’s worth I’m currently evaluating Pale Moon with uBlock Origin (and of course after a review of all settings) as a potential IE replacement. I don’t plan to add other add-ons after uBlock. So far, considering the other security layers I have, I’ve not found anything really more or less secure about it than the configuration I had with IE. It seems to work acceptably well.

-Noel

4 users thanked author for this post.

HiFlyer, Elly, DrBonzo, wdburt1

Reply | Quote

@Noel Carboni

I, too, am interested in Pale Moon and other browsers that aren’t ‘mainstream’. But it seems many (most?) financial institution websites only support Chrome, Firefox, IE, and Edge. And it gets worse if you are using something like Ubuntu. Do you have some way of dealing with non-support of Pale Moon by banks, etc?

Reply | Quote

@DrBonzo, I’m not Noel  😉  but I do use PM. Typically (not always), the website interprets PM as “Firefox”, so you might be OK visiting your bank’s site with it. I haven’t run across problems of that kind while using Pale Moon.

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

2 users thanked author for this post.

Noel Carboni, DrBonzo

Reply | Quote

Cybertooth wrote:

I do use PM. Typically (not always), the website interprets PM as “Firefox”, so you might be OK visiting your bank’s site with it. I haven’t run across problems of that kind while using Pale Moon.

Likewise, I’m seeing a fair bit of compatibility, since Pale Moon is derived from a FireFox source set. The apparent philosophy of the product, centering on simplicity and privacy, seems to match my goals pretty well. Browse to site xxxxx.yyy and you don’t see it access a whole bunch of other sites, just xxxxx.yyy.

Note the setting I’ve highlighted here in the PM preferences:

I’ve found so far, in a few days of testing, that Pale Moon + uBlock Origin is allowing almost no bad sites to get to my next layer of security (DNS proxy with custom blacklists). That’s a Good Thing.

-Noel

3 users thanked author for this post.

Elly, MrBrian, Cybertooth

Reply | Quote

I’m not Noel either 😉

The biggest problem with some financial sites is that they’re not secure enough; if you access them with a relatively old and insecure browser version, they will drop their security to match, yet they often don’t follow best practices and cut off supply for those browsers that are stuck using old and vulnerable protocols, etc. This can leave your connection open to abuse via ‘man in the middle’ attacks etc.

Check all servers you have something of value on using Qualys SSL test: https://www.ssllabs.com/ssltest/index.html it will pinpoint almost all current security issues. This data could then be used to temporarily lower Pale Moon’s default security to match the best your financial server has to offer; there’s an Add-on to help with this, Pale Moon Commander: https://www.palemoon.org/commander.shtml

To enable connections to the vast majority of sites and get the ‘real’ content supplied, there are three basic User Agent Compatibility Mode switches as standard: Native, Gecko and Firefox.

If these fail, an added line in about:config will allow you to use a recent (or older!) standard User Agent to connect; there are already a number of sites that have overrides preset (none are banking sites), so you could use one of those in the format: New String name “general.useragent.override.sitename.com“, changing the sitename.com to the address of the server that’s playing hard to get; the value needed might be something like “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.9) Gecko/20100101 Firefox/52.9 (Pale Moon)”. Typing “general.useragent.override” in about:config’s search pane will show you those values.

Pale Moon Commander can also be used to modify a number of other security/privacy and other settings, maybe even some that Noel would approve of ;).

7 users thanked author for this post.

HiFlyer, Bill C., Noel Carboni, wdburt1, Elly, DrBonzo, Cybertooth

Reply | Quote

Epic Privacy browser works well with online trading sites.

2 users thanked author for this post.

samak, DrBonzo

Reply | Quote

After about 20 years being a dedicated IE fan, I am now using Chrome. I am gradually phasing out of IE and have advised my clients to do the same.

Everything Microsoft touches it turns to bad smelling waste.

CT

2 users thanked author for this post.

HiFlyer, wdburt1

Reply | Quote

Hasn’t Chrome allowed this and much more snooping for all the time it has existed? How do folks figure that Chrome is more private than IE?

As for the other post suggesting using an ad blocker — AFAIK no ad blocker or script blocker would have prevented this type of snooping. Someone correct me if I am wrong.

-- rc primak

Reply | Quote

It’s never occurred to me not to use an address bar for a search entry. It’s neat, simple, and intuitive. However, if there are good reasons for not doing so, then perhaps a brief article explaining that would be a useful thing? I’m sure that 99% of amateur users (and quite a lot of professional users if not most of them) use the address bar for search entries and would benefit from having it explained to them if there’s a problem with it.

However, it’s long occurred to me not to use IE. I keep IE11 updated purely because Windows 7 and some applications rely on it in various ways and it’s a recommended security measure, but I only ever use it if I have a problem accessing a site with Chrome and want to check whether it’s a Chrome issue or not. That happens like once or twice a year.

2 users thanked author for this post.

HiFlyer, JDeC

Reply | Quote

Noel Carboni wrote:

With regard to this particular bug… With my settings I cannot be bitten by this bug. Instead, I only see:

Noel, which specific IE setting prevents exploitation of that bug? Is it the one about whether to run ActiveX scripting automatically? Something else?

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Reply | Quote

Cybertooth wrote:

Noel, which specific IE setting prevents exploitation of that bug? Is it the one about whether to run ActiveX scripting automatically? Something else?

That’s a fair question, and I haven’t looked into the specifics. One of several settings could be involved:

1. I deconfigure ActiveX entirely, and that’s what usually leads to the “An add-on failed to run” messages. However, I did not see an ActiveX specified in the target page.

2. I have disabled many add-ons in IE’s “Manage Add-ons” section. Most folks don’t realize that add-ons – even those from Microsoft – aren’t needed to successfully browse web sites. This is what I have set up currently there:

3. I also reduce what scripts can do, so one/some of the general settings I have for the Internet Zone might be blocking this particular exploit:

4. Just for completeness, here are my advanced settings.

Please question anything you see here that you don’t understand or which seems wrong. There are a lot of settings! I believe I have them in pretty good shape but I’m only human and may have missed something.

-Noel

3 users thanked author for this post.

Elly, samak, Cybertooth

Reply | Quote

Wow Noel, what a thorough reply! [thumbs up]

You gave me some work to do comparing my IE security settings to yours, but right away I can say it was interesting to see that you have disabled most of Microsoft’s own built-in extensions.

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Reply | Quote

Cybertooth wrote:

right away I can say it was interesting to see that you have disabled most of Microsoft’s own built-in extensions.

I have this philosophy that kind of goes like this:

What Microsoft did a long time ago is pretty good, and got nice and mature through years of patching. So deconfiguring “modern” things from their OSs and applications seems a good idea.

In practice I have found it to be true all along. I tend to stick with more “old fashioned” core functionality and shun the newest stuff, and lo and behold Windows just becomes a more solid, reliable workhorse.

-Noel

2 users thanked author for this post.

Jan K., Cybertooth

Reply | Quote

Nice settings, I tweaked a couple of mine to improve security a bit. However, you may have “missed” one.

Under Security in the Advanced Settings tab, the setting for “Block unsecured images with other mixed content” I have the setting checked, whereas you don’t. I’ve had it checked ever since finding out about web beacons used for tracking you even with the “do not track” beacon on full blast. The unsecured images setting kills a great number of these little 1×1 pixel beacons if you’re not running some sort of ad or tracking blocker add-in to IE or other browsers. Further, if I’m on a secure page using https, then as far as I’m concerned, the whole page should be delivered securely or I’m not using it, PERIOD. That’s why I also have enabled the blocking of mixed content in Firefox as well…what I see should be secure if I’m on an https page or forget it, I’m not using it.

This policy has served me well for a good number of years. Kept a load of junk-ware off my computer, but with the help of other items I also use in a layered approach.

1 user thanked author for this post.

Noel Carboni

Reply | Quote

Bob99 wrote:

you may have “missed” one.

The unsecured images setting kills a great number of these little 1×1 pixel beacons if you’re not running some sort of ad or tracking blocker add-in to IE or other browsers.

Thanks. I do have ad and tracking blocking through an uncommon DNS proxy setup that uses blacklists with tens of thousands of sites and domains, but I will change that setting and see if anything looks different. I notice, for example, that PayPal tries to put up a 1×1 transparent pixel here on AskWoody.com.

This is why I love this site… I’m continually learning new things. Thanks again!

-Noel

Reply | Quote

However, since the aforementioned setting only blocks unsecured images in mixed content environments, it shouldn’t block the little 1×1 clear pixel on this site from PayPal, as it comes from a secure (https) site.  🙁

1 user thanked author for this post.

Noel Carboni

Reply | Quote

Bob99 wrote:

However, since the aforementioned setting only blocks unsecured images in mixed content environments, it shouldn’t block the little 1×1 clear pixel on this site from PayPal, as it comes from a secure (https) site.

Exactly right, IE still requests that one pixel image, yet I’m finding uBlock Origin on Pale Moon DOES somehow detect and block it.

I have actually used PayPal to pay for something, so the additional smarts in uBlock Origin are apparently able to detect the specific request and trash it without destroying access to PayPal in general.

-Noel

Reply | Quote

Ok, here we go again! I just had an earlier reply to Noel’s post #134666 swallowed up by the system. My reply was post number 134679. It deals with the clear pixel that PayPal has on this site. It would be nice to get it “resurrected” from the accidental “trash bin” and re posted here where it belongs.

Thanks in advance!

Reply | Quote

The site is still not functioning properly. Your reply was not swallowed up.

The problem lies in the fact that there may be a 30 minute delay between the time you submit your reply and the time it shows up in the thread. BE PATIENT. It is not lost.

2 users thanked author for this post.

Cybertooth, Noel Carboni

Reply | Quote

Noel, Back in your post 134559 you listed your advanced IE settings. I have TLS 1.0 turned off in my settings since it has ‘holes’ and has not been current for a long time. Since I turned it off, I have seen just 2 websites that still use it, so the browser blocks my access. Got the idea from “Defensive Computing” by Michael Horowitz.

Am experimenting with Pale Moon also and changed appropriate setting there.

1 user thanked author for this post.

Noel Carboni

Reply | Quote

So why is anyone still using Internet Explorer?  Woody has been telling us for ages not to use it. Thats like going to the Doctor and saying I dont have to do what he says because I know better.

2 users thanked author for this post.

HiFlyer, JohnW

Reply | Quote

I’ve always found it to be very quick, never had any safety issues despite the “darker” places I visit… but most important for me is the way it handles and let me organize bookmarks.
Haven’t found any “better” browser in this regards, so that’s why I cling on the IE11…

 

1 user thanked author for this post.

HiFlyer

Reply | Quote

Sam wrote:

So why is anyone still using Internet Explorer? Woody has been telling us for ages not to use it. Thats like going to the Doctor and saying I dont have to do what he says because I know better.

I believe people have been put off from using IE because it’s configured to allow way more than it should by default, and thus has been the vector for many attacks. It was the default and pre-eminent Windows browser for a long time. It also embraces compatibility like no other – it literally has all the logic for all the prior versions going way back still in it. Being the most used and most flexible, a lot of attacks were developed for it.

Frankly going through and understanding the several hundred available settings to change that situation is something only a geek (like me) could love.

People writing for the masses (e.g., Woody) generally advise against using it. But that doesn’t preclude thinking for yourself. If your doctor told you to drink poison (e.g., by accident), I should hope you’d use your common sense and avoid doing so.

IE actually does have some advantages, especially when locked down with non-default settings (see my post somewhere up above). The security model actually makes it possible to carefully control what’s allowed and what’s not. And when not burdened with add-ons it’s actually quite fast to start up and navigate (I can’t sense a time delay between double-clicking the icon and seeing my home page, for example; it is no more than a tiny fraction of a second).

With 41 years experience doing computer and software engineering, and with security layers added to my systems that blacklist bad sites, I chose to use IE. It’s still perfectly functional for me, but I do see the writing on the wall with Microsoft choosing to leave it behind, so I have been evaluating Pale Moon (a FireFox derivative).

Most folks don’t have the security layers I have, and many don’t have the expertise to set them up, but adding something like uBlock Origin (which can’t work with IE) to your browser is a great start and it’s fairly easy to use and maintain. It just keeps your browser from visiting tens of thousands of bad web sites, but lets the content you want to see through.

-Noel

2 users thanked author for this post.

Elly, SueW

Reply | Quote

The Epic Privacy browser was mentioned further up this thread. It sounds quite good to me. Does anyone on here use it or know about it?

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

Reply | Quote

I don’t get the person above who talked about reading forum data that’s not been submitted yet. That’s always been possible with JavaScript. The forum data changes properties on the DOM, and a website can open up a connection behind the scenes to send that data back. In fact, that is how forms that autosave (e.g., Gmail’s compose window) work. It just has to adhere to the same origin policy.

Is that the issue? That an ad could read the forum data from another part of the page, and send it back, rather than it having to be the same origin as the form?

Reply | Quote

Please, excuse my probably naive question: Is this a problem only when using the address bar, or also when using the search one?

Reply | Quote

And the question is, Why would anyone still be using Internet Explorer?

Reply | Quote

Well, ActiveX shouldn’t be enabled anyway. Whatever, I was not able to reproduce even with ActiveX enabled. No idea how this guy made it work in the video. Maybe Windows 10 is not affected?

Reply | Quote

Seff, actually, the vast majority of users of IE don’t even know there is an address bar.  You would be surprised how many people find a web page by typing an address into a Google search box on the main Google page, or Yahoo.

In fact, the vast majority of my clients have never even thought of doing a search in the IE address bar.

Reply | Quote