Visual Spoofing

While Microsoft recently patched a URL-based spoofing vulnerability, a whole new class of spoofing exists for browsers: Visual Spoofing.  I have not yet seen any evidence of this type of spoofing actually being done, but I was able to create a demo in less than an hour.

Here is the demo of visual spoofing for IE6 I put together.  Note that the vulnerability is not unique to IE.

The problem with visual spoofing is that it is difficult to fix with a simple patch.  Yes there are ways to fix the problem partially, but I don't see a way to remove the problem completely because hackers can still create a page with images of overlapping windows to distract the clueless user who tend to keep many windows open.

Update:

While thinking about tigers this afternoon, I stumbled onto an idea that could minimize the vulnerability, including the 'deeper problem', down to an acceptable level.  Why was I thinking of tigers?  I have no idea.  Anyhow, I'll post about it in the next day or two (look for a post titled 'Secure UI') after I explain the 'deeper problem'.

Boy, I feel better already.

See Also: Visual Illusions, Secure UI: Phishmarking