Slashdot Mirror
Microsoft Security Patch Fixes URL Security Flaw
loteck writes "Microsoft has just released Security Update 832894. According to their official information, it affects all NT kernel versions of Windows and most versions of Internet Explorer. Here's a rundown of the important fixes, notably 'A vulnerability that involves the incorrect parsing of URLs that contain special characters' in Internet Explorer, as previously discussed on Slashdot."
I can stop typing in all my links by hand?
Oh wait- I use Mozilla. I didn't need to do that anyway.
I still have more fans than freaks. WTF is wrong with you people?
hm... they should patch IE up to be mozilla for example... that could be called a patch...
Aure entuluva!
I am sure M$FT will spin it as if this is an innovative feature.
S
I thought they don't care IE anymore.
Now check your in-boxes and make the InterWeb a Safer Place TM.
Nice try Microsoft. I'm not clicking links while running IE, as per your instructions!
I wonder what happened to the other 832893 security updates?
I'm supprised we still post this stuff. It's a never-ending saga. People find massive holes in IE. Microsoft ignores problems. People exploit problem. Microsoft, slowly, responds. Why does half of Slashdot's users still use Internet Exploiter? Get the monkey off your back, switch to Mozilla Firebird. :)
Will Stokes Album Shaper http://albumshaper.sf.net
is there a direct link to this patch? tnx
Seems that Microsoft is still offering BIG patches this fix is 2.8mb ! damm, just for a link problem I don't know if they included a new clippy bmp in that ?!?! :)
Mess with the best, die like the rest
Better late than never ^_^
I punched a baby once.
So why is MS posting this? Nothing in this seems like it can't wait 8 days...
Oh and for all of you who don't use Windows SUS - why not? I'm going to patch 350 machines with 5 clicks later this week. Stop your bitchin and get better tools.
Please Mr. Gates, calm down, relax, breath deeply.
anger management.. Chill, they fixed thew patch, we'll shut up now.. Don't blow a heart valve over this.. Gee..
I, for one, think it's wonderful that Microsoft takes such an active interest in fixing the few security holes found in their products. And with such speed! Kudos to you, Microsoft!
As much as I love the mozilla browser, the fact remains that IE is the dominant browser out there and the easiest to install for Windows users hence this is great, important news. Now to start downloading the patch.
The files that this patch affects reveal a little tidbit of info about how Windows is put together and it makes one ask the question:
Why the hell does this require a kernel patch?
Mad Software: Rantings on Developing So
Thank god that crisis is over. Now I can sleep better at night. Well, once they work out those few remaining holes..
Disclaimer: I use linux. I fret not.
I was under the impression that their fix was simply make http(s)://user:password@www.address.net invalid. If so, that's not so much a fix, as just deciding to break some functionality. Can someone confirm that this is what the "fix" actually is?
Jedidiah
Craft Beer Programming T-shirts
I switched away from IE a while ago because the browser windows would mysteriously disappear while using Microsoft's own Virtual Desktop Manager. Firebird works fine with it. It's ironic that Firebird integrates more well with one of MS's products than MS's own product does.
There's always the fact that those of us who want to use this bug to, say, show "grades" to our "parents" online will keep this unpatched, thus allowing us to give them our "real" grades without the wonders of Photoshop or Fireworks or the GIMP.
Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
notably 'A vulnerability that involves the incorrect parsing of URLs that contain special characters' in Internet Explorer
/.
So now all those goatse URL's finally parse back to the trolls at
Rule #1 -- Politics always trumps technology.
Patches..."A vulnerability that involves the incorrect parsing of URLs that contain special characters. When combined with a misuse of the basic authentication feature that has "username:password@" at the beginning of a URL, this vulnerability could result in a misrepresentation of the URL in the address bar of an Internet Explorer window."
I can't believe it takes Microsoft so long to fix major flaws like this. Honestly, why does it take 60,000 programmers 60 days to fix an IE URL error?
http://tomgould.com/
If I had a cert from Moe and Curly's Software Emporium I'd start trying to learn about real computers and forget about toys.
My 9mb windows update was going along fine, then slows to a crawl around 4mb's before dying. While waiting I decide to read /. and now I see why.
:/
Thanks all.
Do you have to pay for the patch???
I am become Troll, destroyer of threads
So you don't have to match up the knowledge base numbers in WindowsUpdate:
Here
Here
Here
Here
There are a huge number of yeast infections in this county. Probably because we're downriver from the bread factory.
I just reload the OS (if you can call it that) every month.
I saw it on tv last night. I think it was
f eb/en/?&mid=2304520392lHKJH09728037420987&dll=LKJ2 3L4SD09UVC9432J5JS-9UDFLKJN345U9SLKJ4L5U0SJCS4
http://microsoft.com/download/patch/win32/2004/
In other words, some email/CC#/whatever harvester decided to pull a funny and use the correction for this flaw as a way to exploit the flaw. Now that I see that the described patch is legitimate, I'm actually laughing internally at the delicious irony.
By the time my mom got the email, the target web site had already been taken down by the sysadmin of the host.
None of this is to condone the action of the scum who blasted the email, but come on, that took some balls.
That's not Bill, that's Steve, and he's displaying normal behavior, move along.
wait isn't that sorta like MikeRoweSoft? how about a patch to help us read. and after that they could hand out Opera to everyone so this never happens again. ay yai yai
Sig (appended to the end of comments you post, 120 chars)
'A vulnerability that involves the incorrect parsing of URLs that contain special characters' in Internet Explorer
Yeah, the special characters www.google.com now correctly parse to search.msn.com
Once this thing finally hits 1.0 its gonna be a REAL solid piece of software. I'm glad to see they're still maintaining it regularly!
It's also been a hotter-than-usual topic on Usenet. There really seemed to be a mass exodus from IE over the last couple of weeks, perhaps due to what people feel is blatant neglect by Microsoft.
I left IE as well last week, opting instead for Opera, and really couldn't be happier. Screw 'em, I want my tabbed browsing!
"This Internet Explorer cumulative update also includes a change to the functionality of a Basic Authentication feature in Internet Explorer. The update removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or Windows Explorer after you install this software update:
"
...and even though they continue to break standards, people continue to use their software. Are users that ignorant and lazy? .. Why do I even ask that question.
http(s)://username:password@server/resource.ext
[alk]
It merely removes the feature containing the flaw. For an implementation of the feature without the flaw, see http://www.mozilla.org/
This incident, by the way, is why open source will continue to gain ground. There are no marketing nitwits working as gatekeepers.
HPC for Primates. Read Cluster Monkey
"Aiee!!!", a death cry depicted in war comics?
My hyperlinks aren't worth the paper they're printed on.
Every product has security vulnerabilities that are exposed to the public from time to time.... However, Microsoft seems to be the King of insecure. This is yet another example. And old news at that. The problem with Microsoft is the length of time they take to fix such horrid flaws in their software. They've had many months to produce a patch for this, and countless Microsoft users have suffered as a result. Good job, Microsoft, for proving you are a proud supporter of capitalism. You've managed to make a select few extremely wealthy by ripping off your users, using a slew of vulnerabilities that are continually left unchecked for extended periods of time. It's sad, really, Microsoft doesn't even care about the bad press anymore. They're immune to it, everyone knows their products are insecure and feel they have no alternative choice. That's going to change someday, and Microsoft is going to have to actually earn their customers by providing good [secure] products and services then. Though, I doubt it will ever matter - really. Microsoft is simply too large and too wealthy - even if no one ever bought another Microsoft product again - the company could survive forever just on it's current assets. Talk about a load of smelly poo...
Why not just use k-meleon and be done with it? Its fast if not the fastest browser on Windows. Based on Gecko, its got all of the stuff that mozilla does, but none of the heavy GUI (K-meleon is pure MFC).
http://kmeleon.sourceforge.net
Brielle
This Internet Explorer cumulative update also includes a change to the functionality of a Basic Authentication feature in Internet Explorer. The update removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or Windows Explorer after you install this software update:
http(s)://username:password@server/resource.ext
Unfortunatly this isn't fixed as it should be, ie you're shown the entire link in the address bar and maybe even given a warning when you go to the site. Instead they fixed this by not allowing the '@' character in addresses as was suggested they might here. Hadn't they been saying previously that problem this was unfixable presumably the reason for disallowing the '@' alltogether rather than a real fix. I have two questions, first what kind of codebase do they have that they can't make a real fix?!? Sure it might be a bit of a pain but it's obviously possible since no other browser is affected (heck I even tried IE for mac yesterday and it handled it perfectly!). They obviously handle the url properly at some point since you visit the proper site, they should be able to display the url properly!
Next, what is the effect of them deprecating the '@' tag? I don't recall ever seeing this in the wild and can't really see a lot of use in microsoft.com@slashdot.org, of course the example they give is username:password but I can't see any real site displaying the password in plaintext in the url, does anyone have an example of where this is used and what the effects will be?
I stole this Sig
I don't give a damn if this is offtopic or not. Sometime, somewhere, you will get some nasty ass real Karma for that link.
I know a lot of people suggest switching to Mozilla, but it's not even about Mozilla. Almost every other browser is better than IE these days. Opera, Konqueror, Mozilla, (insert other browsers here). IE hasn't had anything significant in years. It lacks basic even basic things other browsers have. Pop up blocking, tabbed browsing, the ability to stop gif ads from looping, much better basic security policies, more w3c compiant, they don't make up their own html tags, plus many many more.
IE is so horrible. It's gotten to the point that just by using IE you are pretty much guaranteed to get spyware/adware/virus. Most of the people I know who use IE have their homepage changed daily, get a new toolbar every two days, so many pop ups they have to reboot weekly, their email stolen from cookies hourly, and a partridge in a pear tree.
Since clicking on links is unsafe until we correct the link clicking bug, please open a dos prompt, run debug.exe and type in the following....
Introducing the new Occam Fusion! Now with sqrt(-1) fewer blades!
I've been using Bofa online banking for over a year now with Firebird with NO problems except one small CSS issue that appears when setting up a payee in Bill-Pay.
Instead of complaining about banks that recommend IE, move to BofA and tell your existing bank why you are moving!
"Blah blah, status quo, what can you do?"... as soon as it hurts their pockets, they'll add Mozilla support.
Don't just move for the tech though - the BofA system is very well thought out and feature rich and sells itself pretty well. I now pay all my bills through it. It even let's you send payments to individuals (I assume it mails them a check - never used it). I'm now down to writing 4 checks a month, and am hoping to eliminate those soon (I think my wife's going to take a little more coaxing though before she kicks the habit :).
cLive ;-)
-- Trinity in high heels carrying a whip: The donimatrix - there is no spoonerism
While everyone keeps commenting that disabling this functionality seems to break an RFC, does anyone know which one it is? It seems like the kind of thign that would be one, but after a few minutes of cursory searching I can't find a reference.
If it truly an RFC, then Firebird (and I assume Mozilla) are equally as guilty - in thefew instances where I've tried to use this functionality (mostly as bookmarks for protected pages I frequent), it has yet to work. Bugzila anyone?
Cue The Sun...
I was always amazed at how a Windows SP would replace most executables, even stuff like calc.exe etc. Either their dependencies are horribly mixed up or its "lets be safe and replace everything".
If I used IE I might feel worried. Mozilla is my friend and your friend too.
And since MS has closed-source, I can never be sure, therefore I won't use Microsoft anymore.
They're a breeding-ground of spam and everything that's out of control is their own fault due to their policies.
I don't know the meaning of the word 'don't' - J
So what's the final figure? I know Mozilla was patched right away, last I heard the IE count was over 30 days.
i threw away my mouse when they suggested no clicking on URLs. now they fsck it and i have now mouse, what am i gonna do? hmmm, i should post this as an "ask slashdot".
You need people like me so you can point your fuckin fingers and say, "That's the bad guy." So what that make you? Good?
Very informative, but there was an 'extension' to the spec, making xxx@yyy part of it
puts ("Python r0cks\n");
tha's all
Turns out this behaviour is specified in RFC 1738 (Uniform Reasource Locator), where it defines a URL as being of the form:
//<user>:<password>@<host>:<port>/<url-pa th>
Although the RFC does go on to stipulate that "[s]ome or all of the parts '<user>:<password>@', ':<password>', ':<port>', and '/<url-path>' may be excluded." Oddly enough, this form is broadly defined as being the general form of URLs, but is not the form of HTTP URLs (which lack the username and password). The RFC seems to indicate that this functionality was designed with FTP in mind - anyone know if MS disabled it for all URLs, or just http ones?
Cue The Sun...
You can read the details here and here (original thread). It was caused by an update released back in November 2003.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Why did the chicken cross the road?
TO GET TO THE OTHER SIDE!!!! AHAHAHHAHA
Mod me up guys!!!!!!!! A 5 4 SURE!!!!!!! AHAHHAHAHA
Talk about lame! Our government deploys BillG's crap everywhere... Oh, I forgot, BillG is THE GOV'T.
gllshhht...
"...the RFC specification says that http authentication is not allowed in a http url, it is allowed in a generic URI but not for HTTP urls, this is an exception! RFC 1738 - Page 8
So, Microsoft is in fact sticking to the RFC this time, something they should have done long time ago. I have been blocking this "http authentication" in every mail I received on my domain for over a year, but when I saw the IE url obfuscation issue a few weeks back, I was amased that nobody knew this, so I thought I was wrong and that's why I didn't reply. Microsoft still gets a "D" from me for this big mess!"
NIS = Norton Internet Security?
Wasn't Big Bill talking about how they patched faster than the evil open source programmers not that long ago? Isn't this bug something that's been a problem for years, been know about for just as long, and been in hot debate for a couple of weeks now?
I thought so.
Seems like only lots of contraversy gets MS to update their software somtimes.
If : is omitted, the port defaults to 80. No user name or password is allowed. is an HTTP selector, and is a query string. The is optional, as is the and its preceding "?". If neither nor is present, the "/" may also be omitted.
They are conforming to the RFC. Username/Password is a hack. First people complain that IE doesn't follow RFC, and when they do, you still fucking complain.
Have you ever been to a turkish prison?
If you are referring to the URI request for comments then you are wrong, it's not a standard. Check it out for yourself, the login syntax ([ user [ : password ] @ ] hostport) is only mentined inside of telnet:// and ftp:// not http:// or https://
1. is windowsupdate down tomorrow?
2. if windowsupdate is down, how will ms distribute patches in the future, will p2p networks be endorsed for the purpose for the same reasons as dod introduced the net in the first place?
My university uses an Exchange 2003 server for its e-mail. Well apparently this patch breaks logon using Outlook Web Access on that server. Turns out the username and password is in the URL being sent to the server, the same thing this patch kills.
Not sure if this is the way it is with every Exchange server or if it is how my university's server is configured, but if you use OWA you might want to be careful with this patch.
Removing support for user.password@www.address.net?
I just felt the death screams of 40,000,000 porn sites across the planet.
And the FUNNIEST thing ever...
Microsoft was trying to End Of Life support for Windows 98, so they came out with this "uber-patch" "Security Update" CD just this month, that supposedly would bring Windows 98 up to the highest level of security and then with the CD, they could wash their hands of it. The CD is being mailed to ever citizen in Japan, all these customers, tons of shit, etc.
The *FUNNIEST* thing is that this fix is not in the CD (of course) and now microsoft is even BACKTRACKING on ending support for Win98 (now supposedly goes until 2006). So this CD that they spent months developing and beta testing and sending out is now worthless...
SCO: 800-726-8649
Verisign: 800-361-8319, 888-642-9675
Diebold: 800-433-VOTE (8683)
...is the text of the update on Microsoft's Software Update Services service...
"...For example, an attacker could run programs on your computer while you view a Web page. This affects all computers with Internet Explorer installed (even if you don't run Internet Explorer as your Web browser)..."
although there's no mention of that in the KB article.
It was used to hide goatse links on k5 with such regularity that it did the unthinkable - prompted rusty to make a change to scoop.
Making the moon less necessary since 1998.
Windows 98 is supposed to continue to get security updates, and what about Windows Me?
Neither of those are listed as being supported by the update.
If we have this many security flaws now, what will it be like when microsux sends the majority of their programming jobs overseas? Kinda like... I know, lets have terrorist sympathisers write our crap! Good one(?)... Roger that Bill.
gllshhht...
Yes, but they did provide warning:
k b; [LN];834489
http://support.microsoft.com/default.aspx?scid=
Note that this KB article was changed today to reflect that it is indeed in this patch, however, this article has been up since Early January or so...
Not that I think it's the right way to do things, but they did provide some warning that it was coming.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
From the alert:
* For example, an attacker could create a link that once clicked on by a user would display http://www.tailspintoys.com in the address bar, but actually contained content from another Web Site, such as http://www.wingtiptoys.com. (Note: these web sites are provided as an example only, and both redirect to http://www.microsoft.com.)
The link "tailspintoys.com" actually goes to "tailspingtoys.com" (which is not resolved at all).
I have something in common with Stephen Hawking...
I thought IE was supposed to get that like years ago... not that this is really related to the topic, but couldn't they roll it in to the nightly "security update" build?
SCO: 800-726-8649
Verisign: 800-361-8319, 888-642-9675
Diebold: 800-433-VOTE (8683)
Thats 2 gui's for Windows, and 3 gui's for Mac. They are just wrappers on the same renderer, Gecko. Choice is a good thing. There's many Gecko based browsers from other places besides Mozilla too, oh the horrors.
What bugs? If they were so bad someone would fix them, or you wouldd do it yourself instead of waiting 45 days for Microsoft to fix "critical" bugs.
This patch doesn't cover much, it's more like a Security pastie.
I still got Internet Explorer 3 on a CD I got from my first ISP somewhere, is that safe?
DONG!
I've noticed that everyone who is for abortion has already been born - Ronald Reagan
Couldn't we just upgrade BillG to Linus? It would make more sense, wouldn't it?
gllshhht...
So they dropped support for basic authentication by making "@" an invalid character, what about the problem with having "%01" in a url?
Also, in making "@" an invalid character, did they actually take out the basic authentication code or leave it in there to rot like so much forgotten leftovers in the refrigerator?
Netscape was always free for personal use. My first ISP even gave us Netscape on floppies when we signed up, because CD's weren't very common yet. I don't recall ever being asked for $50.
Communism is the enemy of long-winded liars?
This has got to be a hoax!
For starters, the MS page does not list Windows Me at all in the list of supported operating systems. But checking on my parents' machine (WinMe), that very cumulative IE update is listed on WindowsUpdate. I installed the update and here's how IE now behaves.
When going to *any* URL with an "@" in it, IE will come up with an error page titled "Invalid Syntax Error" with the content:
The page cannot be displayed
The page you are looking for might have been removed or had its name changed.
Once that error message is on the screen, any attempt to go to another URL with an "@" in the screen (by clicking on the URLBar and pressing enter, or typing in a different URL with an "@" in it) will cause IE to clear the page area to go blank and the throbber will continue spinning indefinately.
This makes it appear that there is some sort of network connectivity problem, or that IE is somehow hung up. Typing in a normal URL will show that everything is fine.
Also, this update doesn't fix the bug where IE displays an incorrect value in the status bar, such as this one: this one.
(Though clicking the link on that page will fail with the above described error page)
It loaded fine, the actual shopping cart wouldn't work correctly.
need a damn edit function...
Jaysyn
There is a war going on for your mind.
Better luck next time, chump.
Just an idea and a question..
/.
Almost daily, we hear about, and in many cases quietly mock IE security issues, which I am not here to question, scold or belittle.
There comes a time where you've gotta ask yourself if IE was just absolutely incredibly flawed since it's existance - or do you ask if Microsoft is the only real victim or in some cases 'target' of many of these malicious scripts, cookies, and trojans - or even scarier, perhaps MS is the only browser manufacturer doing anything about it's issues?
The blunt question is:
Could much of this malicious activity be soon present on other browsers?
I see IE as a bigger threat than anything like it on the market because of IE's seemless integration with the Windows shell. Active X components. and web enabled ability to browse web sites, or access the local directory substructure using the same program. basically.
How many common applications require some level internet explorer, and it is often used with
VB GUI... not going anywhere with this, just scrawlings.. seems somehow dangerous.. =)
What about Java, its embedded into the windows shell also..
Just a few random thoughts from a guy of the street.. any feedback?
That's not Bill, that's Steve, and he's displaying normal behavior, move along.
Trojan Developers! Virus Developers! Worm Developers! Trojan Developers! Virus Developers! Worm Developers! Trojan Developers! Virus Developers! Worm Developers!
anyone know if replacing @ with %40 works?
Given that there were over 605 million connected internet users (in September 2002), that's over 400 million users of your software, and probably more now that it's almost a year and a half later.
Your users span hundreds of thousands of different hardware and software environments. And that doesn't even include IE 5.5 and 5 that they need to patch as well.
They'd better be sure the patch doesn't break anything critical. I'm surprised they don't break things more often than they do.
Qualitas edurus commercium, nullus penitus net rimor, nullus deus beneficium
the only reason i use ie, well 2 reasons, but the main one is that when i put in d: into the address bar, it automagically turns into windows explorer so i can view files and stuff.
also mozilla renders the page as its being downloaded and IE does it after its downloaded. so when i get a webpage in mozilla i have a bunch of images and shit loading. In IE i have a whole page albiet it takes a few seconds longer but it makes it alot prettier.
I'll just use my special getting high powers one more time...
I think this fix is a great thing. Now when my friends say "The porn sites won't work anymore" I can say "Here Try this"
Finally Microsoft gives me a perfect answer to "But why should I switch?" questions.
mod
Just checking, does this only effect http://, or is it now impossible to use an ftp URL which includes a password too ?
Ie. ftp://username:password@website.com
Will that work ?
It's MUCH harder to change your bank than to patch your browser. While you might still be in the student phase of life where you've got nothing but some pizza and beer money in the account, and hence not much to transfer to another bank, it can be a real pain if you have something like, say, a mortgage on a house. If you do, you have two options:
1) Refininance at a new bank. This can cost you money, and, if intrest rates go up, give you a wrose rate.
2) Move your checking/savings, and leave your mortgage, which means you need to do bussiness with two banks.
Idealism with browers is all well and good but there are real world concerns with simply telling a bank to stick it in many cases.
Some banks just suffer from a case of being stupid with browsers. One of my coworkers had a bank like that. They actually supported netscape too, but thing was they did NOT support Mozilla. I've a feeling it would actually have worked fine, but their little script checked the browser ID and refused to let him try and log in.
I use Opera and haven't once had a security related problem with it. It works great and gets better with each new release, like with Opera 7.5 preview 1
The average user uses the internet for email online banking and news sites...and mozilla works with all of those. What's the problem?
because mydoom.b activates tomorrow and attacks Microsoft.
Chip H.
I noticed there appears to be an error generated if your home page uses the user@pass inclusion in a URL (whtn invoking IE for the first time).
The page cannot be displayed
The page you are looking for might have been removed or had its name changed.
Subsequent attempts seem to work, but the initial spawn of the browser does something different in terms of URL qualification it seems.
What's the big deal.
Anyone that clicks a link in an e-mail from a purported financial institution that they don't know is an auto response to a transaction they just performed is an idiot who deserves to be ripped off.
If it was an autoresponse visit the website using a link you already have bookmarked to conduct your inquiries into the matter.
There isn't any real financial institution or corporate website's for example Banks, 401K, AOL,Earthlink, Microsoft etc. that sends out this type of crap asking for credit card numbers etc.
The same people that fall for this are the same one's sending all their cash to Nigerian scammers.
They're also the same morrons clicking on every virus in the world that lands in their inbox.
If they don't have enough money to pay thier ISP bill then maybe they'll get off the internet and we'll all be better off. If these folks can't afford to be on the internet they won't be able to purchase penis enlargement pills thus multiplying the spam problem.
The list of offences to good sense these people enact is nearly unlimited.
The security bulletin says:
Caveats: None
Did you consider telling me a bunch of my bookmarks will not work anymore, nevermind that they depended on "microsoft extensions"?
And can someone please explain why these issues are of only moderate to important (not critical) severity in Windows Server 2003?
Okay, I know that the lines between O/S and "browser" are a little blurred in MS-land.. but, doing a little poking will show that this is really an *IE* flaw, not an o/s flaw..
The email notification from MS includes win98 through ME, which ain't NT kernel O/S's.. by any stretch of the imagination.
Me? Know about Win95? Nope. don't know, don't care.
I just wish y'all would be a little more accurate.
Your summary is so bad that it implies the flaw is in the O/S, not the browser.. which is just plain wrong.
While RFC 2396 is indeed more recent, it covers a different topic than RFC 1738 does, and therefore doesn't automatically supersede it (it may "update" RFC 1738 on certain points, as is stated in the document header). RFC 2396 only describes Uniform Resource Identifiers in general; it doesn't go into detail for each and every scheme.
However, there is a more recent specification for the HTTP scheme, and that is RFC 2616 (describing HTTP/1.1). It agrees with RFC 1738: No "userinfo" part is allowed in an HTTP URL. And, since RFC 2616 is more recent than RFC 2396, it can't be superseded by RFC 2396 (but neither does it supersede RFC 2396).
Text from Bugzilla copied below (Bugzilla denies links directly from /.)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 Firebird/0.7 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 Firebird/0.7
When I download a file, the NTFS properties of the parent folder aren't inherited. Things like permissions, compression, encryption. My guess is that after the download completes, the file is being moved from the download temp directory. Instead, it should be copied and the temp file deleted. By copying, the file will inherit NTFS Properties.
Reproducible: Always
Steps to Reproduce: 1.Create a folder on the same partition as the mozilla temp directory (C Drive Usually) 2. Make the folder compressed and give it some specific permissions. 3. Download a file to that directory and see that it doesn't inherit.
Actual Results: The file comes out uncompressed and the permissions applied to the parent folder don't apply.
Expected Results: The downloaded file should be compressed and have the same permissions as the parent folder.
------- Additional Comment #1 From Mike Connor 2003-11-04 17:10 PST [reply] -------
ben, does the file get copied or moved from the temp location? this one would be a dealbreaker for security-conscious organizations.
-> major, has security implications on a file level.
------- Additional Comment #2 From Christian Biesinger 2003-11-05 02:24 PST [reply] -------
> Instead, it should be copied
no, it shouldn't, that would be pretty slow
how did you download? By clicking "save link target as", or by getting asked what you want to do with the file? if the latter, this would not be a firebird-specific bug.
------- Additional Comment #3 From Boris Zbarsky 2003-11-05 08:04 PST [reply] -------
Sounds to me like NTFS is pretty buggy if copy/delete has different final results from move...
------- Additional Comment #4 From Christian Biesinger 2003-11-05 08:28 PST [reply] -------
fwiw this would work if $TEMP is on a different volume, according to this msdn description of MoveFile: " If a file is moved across volumes, MoveFile does not move the security descriptor with the file. The file will be assigned the default security descriptor in the destination directory."
SHFileOperation would also allow us to do what comment 0 requests: FOF_NOCOPYSECURITYATTRIBS Version 4.71. Do not copy the security attributes of the file.
------- Additional Comment #5 From Lucas 2003-11-05 09:09 PST [reply] -------
It doesn't matter if I click on a link to a file and it prompts me to download or if I do it through a right click. The results are the same. Regarding the comment made on the design of NTFS, it's not a bug. If you think about it, it all makes perfect sense. When you move a file to a different partition, it actually copies the whole file over, then deletes it from the index table on the source partition. When you move it on the same partition, it just has to re-index it. The file itself is not moved. NTFS was designed to work that way and even in basic certifications, NTFS behavior is taught. Once you understand the basic rules of NTFS, it's really not that difficult to work with.
------- Additional Comment #6 From Boris Zbarsky 2003-11-05 09:23 PST [reply] -------
The right-click version of saving doesn't use the temp dir and does not copy the file.
Maybe it's my Unix background speaking when I think that partition boundaries should be largely invisible to users... ;)
------- Additional Comment #7 From Benjamin Smedberg 2003-11-05 09:52 PST [reply] -------
According to MSDN, SHFileOperation is available in shell32.dll version 4.0 and later (NT4 and win95). Perhaps nsLocalFileWin::MoveTo should use this function instead of MoveFile?
I definitely think this is a bug, not a featur
Your quotes database is racist
You're missing a few "ash"es, at least. The spelling's not quite correct either. Try this:
;-)
Ash nazg durbatuluk, Ash nazg gimbatul,
Ash nazg thrakatuluk agh burzum-ishi krimpatul.
The ^'s aren't included, but I'm sure you can put them in appropriate places.
Turambar
------------------------------
Common sense is not so common.
--Voltaire
Does your keyboard also have a plastic membrane that keeps the grime and such from your oil-changing hands from getting in between the keys?
Chances are that the FuzzyFurB works as a cubicle drone in a Fortune 500 company or some other brain dead Microsoft "partner" where IT can only be done by the IT staff. They have all sorts of useless testing they do to insure configuration conformance. Microsoft's lack of modularity and real users makes it imposible to add software and be sure you have not changed non related system files. It makes no sense but that's the party line.
The effort, of course, is futile and counter productive. Microsoft junk is so full of holes that any old spam can own your system and many web sites download software for you. The corporate reaction to that is that you should not be browsing the web and to fire people who get suspicious emails. Still, the big dumb companies are always the fist and worst hit by any major worm. The monoculture is especially easy to kill and their suffering quickly becomes our own as poluted corporate machines spew their filth onto the rest of the world.
If the poor bastard had any choice of browsers, I'm sure he'd drop it onto something nice like Debian.
Friends don't help friends install M$ junk.
The kind of place that's dumb enough to forbid installation of superior and no cost software is also too stupid to tell the distiguish between methods of install. As the concept of users is poorly implmented in Windoze, there's hardly a practical difference between the install method you mention and one an actual "install". In any canse, few people are willing to risk their jobs over a choice of a tool that the company looks down on using to begin with. It's all downhill in the land of the dumb, that's why they still use Windoze.
Friends don't help friends install M$ junk.
Not sure if anyone else noticed, but this "security fix" seems to of mysteriously fixed the page down problem in IE which would cause the browser scroll down two pages at a time.
Anyone else see this?
This is an anti-microsoft/pro-opensource/mozilla comment on slashdot, they need not have evidence to makes those claims. In 10 minutes they'll be modded to "+6 Really Really Insightful."
And before I'm modded down as a troll, I'm using mozilla at this very moment because I feel it's more secure. But I base that not on evidence, but on my own feelings, which need no justification.
When going to *any* URL with an "@" in it, IE will come up with an error page titled "Invalid Syntax Error" with the content:
The page cannot be displayed
The page you are looking for might have been removed or had its name changed.
So if Microsoft ran a garage, I guess they'd "fix" that funny noise your engine was making by removing the car's battery.
Methinks it would be useful to have a site which exploits all of the major holes in IE/Office (and can send e-mail for Outlook vuln.) that would look like a legitimate use of your office computer but that would trash it so you could go home early...:^)
Thanks! I was going to setup a redirect page on my home server and post again with a link to that to get around the Slashdot block they put in place. Instead, I decided to unglue myself from the computer. *grin* -Lucas
It's not the businesses that are the problem, it's the web monkeys writing the sites.
I did the same thing with http://www.landrover.co.nz, and got the response that 1% of visitors used non-IE browser., and that the site would require a complete rewrite (according to the web developers).
From a business perspect this is fine, the problem is that the stats are likely based on total hits which is flawed because only the first and error pages are counted, and that the web guys are flat out wrong about needing to rewrite the site. But there's no way for the marketing person managing this site to know that.
Out of interest I tried Moz with the IE6 UA plugin, and it works fine.
Forget thrust, drag, lift and weight. Airplanes fly because of money.
I think I just need to find some oddball way to tie other IE bugs to security issues. That way I can get rapid patches like this instead of being told to buy a new OS.
Perhaps if the incorrect box model caused some # on a online purchasing site to become hidden. Causing purcases of 10,099.00 in stead of 99.00.
if the mailto://user@host.tld works in IE with this fix ?
RTFA tells me that "@" in an HTTP url is now considered to have an invalid syntax. Is this the case with the mailto protocol also ?
TIA.
How insecure might Mozilla be revealed as if it had the 98% or so usage that Internet Explorer has?
In fact, Bill Gates the other day was speaking at a keynote address and stated that because Windows and its related technologies are subjected to so much more security stress over the years with such a massive market share, they are actually the most secure out there. One might quibble with this, but even Slashdot once reported on the now infamous study showing Linux was actually the most-breached OS on the net.
Even so--I don't touch IE with a ten-foot pole.
They both have good points except that if you really have 30,000 people who really want to hear what you have to say each day well you should have a Blog. For the rest of us, if we send an email to 1000 people... Well, 999 of them probably don't want to hear what we have to say.
I've hit Karma 50 and gotten a Score:5, Troll... I win!
Does this means that when you click a mailto:someone@somesite.ext you get an error??
I gave up with the idea of an useful sig...
This patch broke the auth for some of my web-based software packages :-(
.htaccess auth instead of cookie auth, but since the software is heavily used on public terminals we also have the need for a functional [LOGOUT] button.
.htaccess protected folder, with the same ID as the actual software, but with a new username of 'please_enter_your_email'
We had the need to use
My logout button would direct the user to a seperatly
This caused IE to 'forget' it's previous auth information and store the new one.
Then, if somebody tried to use the back button on a public terminal to re-enter the software, they would get the auth box. (unlike with cookies, where the cached page may still appear, because ie6 likes to ignore no-cache directives)
But now, as users patch their systems, my logout button will be broken and give an 'invalid syntax' error.
Is there some other way to force the IE browser to forget browser auth information?
I just tested with a patched version of IE 6 and username/password in ftp:// url's still seem to work.
Rock over London, Rock on Chicago. Wheaties: Breakfast of Champions.
download and unzip firebird no install needed
Maybe some MCSE could tell me, what are string processing functions doing in the kernel?
My firewall (Kerio PF, also checks MD5 hashes of executables) detected a change in the Windows Update Client itself while applying this patch. The date on the executable is 1/31/2004. Is there something I should worry about, cuz I don't think this has happened before?
Now it is really bad when they rely on you turning on ActiveX or something else insecure making your PC even more vulnerable to trojans!
I run Linux at home, but I still don't dare use netbanking (also because I have had insights into the system my bank uses from my professional life).
I considered getting an account in another bank where they don't rely so much on your PC to be secure: Once in a while they snail mail you a small physical card with a table of random numbers on it. When you want to do a transfer of money it asks you to look up into the table and type in the corresponding number. This way they can make sure you not only know the password but also have the physical card. Thus if a cracker takes over your PC they can't transfer money from your account anyway - only see what you have on your account. This solution is ofcourse not very elegant but it is much more secure than what any of the other banks can offer.
I use mozilla at 3 different banks without problem at all.
Just because it is recommended doesnt mean it is a have to.
All my banks state is that is must support 128bit encryption and the https protocal
Wrong RFC. Try RFC 2396.
when will Mozilla be able to remember passwords properly?
why is it that half of my web pages which has at pass word field in the form does not get the password remembered?it's really annoying that I have to look at my pass words for some sites while others seem to work without any problems.
surely it's obvious if a form contains a password fields and it contains a password?
This line opens with some mis-informed bullshit about a company that produces a proprietry operating system. This line refers to a bug uncovered when a dickhead used the OS. This line neglects to mention that the all open source alternatives either a) dont support the feature(s) or b) didnt support it until either SGI or IBM handed over the code. This lines makes a really annoying and tired connection with the Santa Cruz Org or Microsoft that is only understood by Stallman fanboys. This line is funny because the text is bold and italic. Now laugh you stupid little cunt.
GNAA rocks - cumming to your town soon!
I'm wondering why the parent was modded overrated. Are you?
That is the one thing I miss on opera. Very nice browser and the tabbing is fastly superior to Firebird (firebird does still open some links in a new window for some reason) but the wasted space is insane. Then again I got this problem with a lot of window layouts. Menu bars are always two third blank space. Put the status bar up there or something.
Of course Opera wins because it doesn't clutter the taskbar. Why do two clicks when you can switch pages with one eh?
There is however one area where Opera is the supreme king of all browsers. RESUME. It is a god send when for whatever reason the browser is closed. Just start later and continue where you left off with all your pages. No more searching for eons for that one site, crash and all your search results lost. Opera you are the best.
End rant
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
So MS have issued 832,893 security updates before this one?
That sounds about right.
Microsoft Security Patch Fixes URL Security Flaw
'Addresses' or 'Attempts To Address' or 'Exacerbates' would be more appropriate.
With MS's track record, you have no right to assume they fixed anything.
>>I can use telnet to send any string I want to
- faq.ht ml
/* My posts may sometimes be wrong, but my intent is always sincere and my research only somewhat questionable. */
>> any port. Your "security" concerns about
>>gopher:// are misguided.
Misguided you may be, Yoda say.
The insecurity of telnet is why you should disable telnet on the servers you support and implement SSH.
My favorite SSH FAQ:
http://www.employees.org/~satch/ssh/faq/ssh
To quote the faq, "It provides strong authentication and secure communications over unsecure channels. It is intended as a replacement for telnet, rlogin, rsh, and rcp. For SSH2, there is a replacement for FTP: sftp."
Live Long and Prosper - Thanks Leonard. You are missed.
Disabling telnet on the servers does nothing to stop telnet clients being used to send arbritary strings to any port. Both you and the original poster who claimed that the gopher URL scheme is a security risk have a lot to learn about network security.
>> Both you and the original poster who claimed that the gopher URL scheme is a security risk have a lot to learn about network security.
Ok. In case you are not trolling, I'll bite with hope of learning something.
1. My post was specifically about the security of Telnet, and that SSH on company servers is a more secure replacement. (I made/make no statements about Gopher.)
2. My post covered security from the perspective of securing data on our servers.
3. Assume we have replaced telnet with ssh on ALL our servers and set up our switches to filter most telnet traffic.
Just how is this bad? Misinformed? Not doing what we should to protect the servers?
If you can take 10 seconds to insult, you might take an extra 10 seconds to explain.
Live Long and Prosper - Thanks Leonard. You are missed.
This UA string works for me when I want to pay my MBNA account:
Mozilla/7.2 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031007 Firebird/0.7
I think all I did was change the Mozilla/5.0 to Mozilla/7.2 (seemed high enough to make the site happy).
Of course, this doesn't work when I want to check out my 401k because that site thinks my browser is too old... so I switch back to Mozilla/5.0 and it works fine.
With last events of IE insecurity, if I were a bank I would be scared to hell. What I would do is hiring a bunch of security experts, throw mozilla firebird to them and say: Fort Knox Browser. Now.
Then just make every client download and use that browser if they want to do online banking. Because secure online banking is not only important. For many banks is crucial. Remember that a bank's value is in trust.
This is something free-sw beats the crap out of closed-sw: it is an effort that can be shared among many banks and the oss-community, because it is something in the interest of everyone.
It's not bad or misinformed, just irrelevant to the parent thread.
Special Relativity: The person in the other queue thinks yours is moving faster.
You don't use two banks already? I have a checking account with M&T that I use all the time, and also an account with a credit union that I don't touch. I don't transfer money between the two, so that's not a problem, but one of my co-workers said that he can do that online with M&T and SECU (which isn't my credit union, but still).
:)
If/when I get a house, it will probably be through the credit union, as they'll likely give me a much better deal.
I'm just nervous about having all my money in one spot. Yes, I was a member of that one bank where Levitt (sp?) was arrested and the bank shut down. Maybe you get your money back eventually, but what if I need it in between? Bad things do tend to happen in groups. So I have two bank accounts and two jobs, even though I could be OK with one of each. Backups, you know
WMBC freeform/independent online radio.