Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Security Patch Fixes URL Security Flaw

Posted by ryuzaki0 on from the no-more-typing-URLs dept.

loteck writes "Microsoft has just released Security Update 832894. According to their official information, it affects all NT kernel versions of Windows and most versions of Internet Explorer. Here's a rundown of the important fixes, notably 'A vulnerability that involves the incorrect parsing of URLs that contain special characters' in Internet Explorer, as previously discussed on Slashdot."

5 of 545 comments (clear)

  1. Deprecating username/password in URLs by Coryoth · · Score: 5, Informative

    I was under the impression that their fix was simply make http(s)://user:password@www.address.net invalid. If so, that's not so much a fix, as just deciding to break some functionality. Can someone confirm that this is what the "fix" actually is?

    Jedidiah

    --
    Craft Beer Programming T-shirts
  2. Re:Does this mean by SultanCemil · · Score: 5, Informative
    Wait mozilla supports HYPERLINKS? wow. I do need to upgrade my browser.

    Seriously, though - I think one of the bigger changes in this release is that IE no longer support username/password in the URL (http://me:you@whatever.com). No more easy pr0n surfing.

    --
    Cemil.
  3. Something really scary.... by Joe5678 · · Score: 5, Informative

    ...is the text of the update on Microsoft's Software Update Services service...

    "...For example, an attacker could run programs on your computer while you view a Web page. This affects all computers with Internet Explorer installed (even if you don't run Internet Explorer as your Web browser)..."

    although there's no mention of that in the KB article.

  4. Re:Does this mean by Holi · · Score: 5, Informative

    No for http requests the username and password are NOT allowed.

    RFC 1738 - Page 8
    3.3. HTTP

    The HTTP URL scheme is used to designate Internet resources accessible using HTTP (HyperText Transfer Protocol).

    The HTTP protocol is specified elsewhere. This specification only describes the syntax of HTTP URLs. An HTTP URL takes the form:

    http://(host>):(port)/(path)?(searchpart)

    where and are as described in Section 3.1. If : is omitted, the port defaults to 80. No user name or password is allowed.

    --
    Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
  5. Here is the behavior of IE after patching.... by WD · · Score: 5, Informative

    For starters, the MS page does not list Windows Me at all in the list of supported operating systems. But checking on my parents' machine (WinMe), that very cumulative IE update is listed on WindowsUpdate. I installed the update and here's how IE now behaves.

    When going to *any* URL with an "@" in it, IE will come up with an error page titled "Invalid Syntax Error" with the content:
    The page cannot be displayed
    The page you are looking for might have been removed or had its name changed.


    Once that error message is on the screen, any attempt to go to another URL with an "@" in the screen (by clicking on the URLBar and pressing enter, or typing in a different URL with an "@" in it) will cause IE to clear the page area to go blank and the throbber will continue spinning indefinately.

    This makes it appear that there is some sort of network connectivity problem, or that IE is somehow hung up. Typing in a normal URL will show that everything is fine.

    Also, this update doesn't fix the bug where IE displays an incorrect value in the status bar, such as this one: this one.
    (Though clicking the link on that page will fail with the above described error page)