Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Security Patch Fixes URL Security Flaw

Posted by ryuzaki0 on from the no-more-typing-URLs dept.

loteck writes "Microsoft has just released Security Update 832894. According to their official information, it affects all NT kernel versions of Windows and most versions of Internet Explorer. Here's a rundown of the important fixes, notably 'A vulnerability that involves the incorrect parsing of URLs that contain special characters' in Internet Explorer, as previously discussed on Slashdot."

13 of 545 comments (clear)

  1. Deprecating username/password in URLs by Coryoth · · Score: 5, Informative

    I was under the impression that their fix was simply make http(s)://user:password@www.address.net invalid. If so, that's not so much a fix, as just deciding to break some functionality. Can someone confirm that this is what the "fix" actually is?

    Jedidiah

    --
    Craft Beer Programming T-shirts
    1. Re:Deprecating username/password in URLs by Squarewav · · Score: 4, Informative

      I was under the impression that their fix was simply make http(s)://user:password@www.address.net invalid. If so, that's not so much a fix, as just deciding to break some functionality. Can someone confirm that this is what the "fix" actually is?
      That method of user/password should have never been alowed in the first place. Sure its easy but come on, yah broadcasting your username and password to every node along the way is such a good idea, saves some trouble of pharseing the html. not to mention any spyware that sends back what you type into the adress bar

  2. Re:Does this mean by SultanCemil · · Score: 5, Informative
    Wait mozilla supports HYPERLINKS? wow. I do need to upgrade my browser.

    Seriously, though - I think one of the bigger changes in this release is that IE no longer support username/password in the URL (http://me:you@whatever.com). No more easy pr0n surfing.

    --
    Cemil.
  3. Re:the needed patch by Trogre · · Score: 4, Informative

    Reality is, Mozilla is a far way from replacing I.E.

    Perhaps so, but I use the web for business and recreation on average 6 hours a day, and have never in the last three years had to resort to IE.

    Except, that is, for ensuring that web pages I write render correctly on the lowest common denominator.

    --
    "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
  4. Re:Does this mean by interiot · · Score: 4, Informative
    Huh. I had kind of assumed that the username/password was part of the official URI spec, but apparently not:
    • httpaddress
      • h t t p : / / hostport [ / path ] [ ? search ]

      ftpaddress
      • f t p : / / login / path [ ftptype ]

      login
      • [ user [ : password ] @ ] hostport

      hostport
      • host [ : port ]
  5. RFC 1738 by BSDevil · · Score: 4, Informative

    Turns out this behaviour is specified in RFC 1738 (Uniform Reasource Locator), where it defines a URL as being of the form:

    //<user>:<password>@<host>:<port>/<url-pa th>

    Although the RFC does go on to stipulate that "[s]ome or all of the parts '<user>:<password>@', ':<password>', ':<port>', and '/<url-path>' may be excluded." Oddly enough, this form is broadly defined as being the general form of URLs, but is not the form of HTTP URLs (which lack the username and password). The RFC seems to indicate that this functionality was designed with FTP in mind - anyone know if MS disabled it for all URLs, or just http ones?

    --
    Cue The Sun...
    1. Re:RFC 1738 by dzym · · Score: 4, Informative

      Confirmed to still work for FTP.

  6. Also, this fixes the scroll bar issue... by antdude · · Score: 4, Informative

    You can read the details here and here (original thread). It was caused by an update released back in November 2003.

    --
    Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  7. Re:Does this mean by pen · · Score: 4, Informative

    Exactly what Opera does

  8. Something really scary.... by Joe5678 · · Score: 5, Informative

    ...is the text of the update on Microsoft's Software Update Services service...

    "...For example, an attacker could run programs on your computer while you view a Web page. This affects all computers with Internet Explorer installed (even if you don't run Internet Explorer as your Web browser)..."

    although there's no mention of that in the KB article.

  9. Re:Does this mean by Holi · · Score: 5, Informative

    No for http requests the username and password are NOT allowed.

    RFC 1738 - Page 8
    3.3. HTTP

    The HTTP URL scheme is used to designate Internet resources accessible using HTTP (HyperText Transfer Protocol).

    The HTTP protocol is specified elsewhere. This specification only describes the syntax of HTTP URLs. An HTTP URL takes the form:

    http://(host>):(port)/(path)?(searchpart)

    where and are as described in Section 3.1. If : is omitted, the port defaults to 80. No user name or password is allowed.

    --
    Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
  10. Here is the behavior of IE after patching.... by WD · · Score: 5, Informative

    For starters, the MS page does not list Windows Me at all in the list of supported operating systems. But checking on my parents' machine (WinMe), that very cumulative IE update is listed on WindowsUpdate. I installed the update and here's how IE now behaves.

    When going to *any* URL with an "@" in it, IE will come up with an error page titled "Invalid Syntax Error" with the content:
    The page cannot be displayed
    The page you are looking for might have been removed or had its name changed.


    Once that error message is on the screen, any attempt to go to another URL with an "@" in the screen (by clicking on the URLBar and pressing enter, or typing in a different URL with an "@" in it) will cause IE to clear the page area to go blank and the throbber will continue spinning indefinately.

    This makes it appear that there is some sort of network connectivity problem, or that IE is somehow hung up. Typing in a normal URL will show that everything is fine.

    Also, this update doesn't fix the bug where IE displays an incorrect value in the status bar, such as this one: this one.
    (Though clicking the link on that page will fail with the above described error page)

  11. Re:It was updated by Zeinfeld · · Score: 4, Informative
    No usernames/passwords are allowed. It's funny in this situation MS is the only one following the RFC

    The security problem was spotted back in 1993 or 1994.

    The problem was that the URI group was way out in hyperspace by then and not doing what people needed. There was an inordinate amount of effort went in to gopher URLs, the gopher losers wanted to have / be a normal character because it could appear in a Mac filename. The point about escape characters was lost.

    Most browsers killed gopher because the protocol was so insecure, you could use a gopher URL to send any string you wanted to any port you wanted, ditto for finger.

    The URIs that got used in practice were mostly the ones defined in Netscape. They did not give a wetslap for standards from the IETF or W3C, as far as they were concerned they defined the standard. They did not care much about security either, well not until it started to go embarrasingly wrong.

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/