Posted: 11 February 2005 at 9:17am | IP Logged
Don't get scammed by the
'Bait and Switch' trick
By Chris Mosby
The "Bait and Switch"
routine is an old sales tactic. A store will advertise something for an
outrageously low price or some other kind of unbelievable deal. That gets you in
the door, and then you hear things like, "We're out of stock right now, but
since you're here, wouldn't you like to look at this instead?" It's an unethical
thing to do, but I'm sure that more than one store out there still uses this
Under the right conditions, hackers can do the same thing
when you're surfing the Web. Browser and application vulnerabilities allow a
hacker to make you think you're on one Web site, when you're actually on
another. From there, anything can happen.
Don't let hackers frame
Security firm Secunia
last July that a 6-year-old vulnerability that was thought to be patched is
still present in browsers from multiple vendors.
allows a hacker to hijack a frame in a legitimate Web page. The perpetrator can
then insert his own page in an effort to make you think that page is legit,
The booby-trapped page can then use other hacker methods to trick
you. Because the page looks normal, you might reveal bank or credit card
information, unknowingly install a Trojan horse on your computer, or fall prey
to other tricks. This vulnerability exists because browsers didn't validate
frames to ensure they belonged to the Web site of the parent
Since this vulnerability was re-discovered, most browser vendors
have supplied patches or upgrades to their browsers to re-fix this problem yet
again. But not all have done so.
Browsers that are still vulnerable
• Internet Explorer 5.01 through 6.x
• Konqueror 3.1-15redhat
Here's a list of browsers
that are no longer vulnerable:
• Mozilla Firefox 0.9 and
• Mozilla 1.7
• Opera 7.52
• Camino 0.8 (build 2004062308)
Yes, you read that
right. Internet Explorer is still defenseless against this 6-year-old
Microsoft tried once before, patching a similar
vulnerability in . But the problem crept back into the browser with version 5.01 and
up. The problem has been confirmed to affect even a fully patched Internet
Explorer 6 on Windows XP SP2.
What to do: Make sure you're using
the latest version of your browser of choice, and keep it updated with any
patches that are available. If there isn't an upgrade or patch for the browser
that you're using, switch to one of the browsers listed above that isn't
affected by this problem.
If you've implemented the recommendations for
hardening Internet Explorer in the , issue of the Windows Secrets Newsletter, then you're already
protected from this problem.
If not, you can disable IE's Navigate
sub-frames across different domains setting as follows:
• Open the
Tools menu in Internet Explorer.
• Click Internet Options and select the
• Select Internet Zone, then click the Custom Level
• In the dialog box that opens, look for the Miscellaneous
• Finally, click Disable on Navigate sub-frames across different
For more info about the problem, see Secunia's advisories on
the and a that shows whether your browser suffers from the security