Slashdot Mirror
Microsoft Security Patch Fixes URL Security Flaw
loteck writes "Microsoft has just released Security Update 832894. According to their official information, it affects all NT kernel versions of Windows and most versions of Internet Explorer. Here's a rundown of the important fixes, notably 'A vulnerability that involves the incorrect parsing of URLs that contain special characters' in Internet Explorer, as previously discussed on Slashdot."
I'm supprised we still post this stuff. It's a never-ending saga. People find massive holes in IE. Microsoft ignores problems. People exploit problem. Microsoft, slowly, responds. Why does half of Slashdot's users still use Internet Exploiter? Get the monkey off your back, switch to Mozilla Firebird. :)
Will Stokes Album Shaper http://albumshaper.sf.net
No offense... but this is getting old.
Yes, Mozilla is better than IE in alot of cases... but don't forget, the average user still uses the internet for email, online banking, and news sites.
And guess where you are more than likely to run into an "I.E. reccomended" site? Online banking.
Yes, "developers should...", but Developers should do a lot of stuff that they never will. Reality is, Mozilla is a far way from replacing I.E.
I am become Troll, destroyer of threads
Read the new knowledge base article for more goodies. They say URL's in username:password format are no longer supported -- I read that as they removed the support for the format to fix the bug! And then read how they suggest to switch scripting (ActiveX?) to prompt before running. So with IE, they no longer have the URL parameters other browsers safely support, and you have to wade through a bunch of "Scripts are normally safe? Run anyways?" popups. =/ Don't seem like a solution for me.
It merely removes the feature containing the flaw. For an implementation of the feature without the flaw, see http://www.mozilla.org/
It doesn't. Nothing on the MS page says it's anything to do with the kernel - it's just the usual Slashdot Microsoft-bashing-without-even-reading-the-article sentiment.
"This issue affects Internet Explorer, a component of Windows. You should apply this update if you have Internet Explorer 5.01 or later."
So mod me down, you know it's the truth.
Considering IE is less secure than Mozilla it's alarming to me that any bank would "require" it.
Yes, I'm a little surprised there hasn't been more of a fuss over this.
Is this really the best Microsoft can do ?
Whenever a URL with an "xxx[:yyy]@" prefix is clicked or entered, why couldn't they pop up a login dialog box, specifying the name of the site (WITHOUT the xxx[:yyy]@ prefix), filling in the user name and password (i.e. the "xxx" and "yyy" in the appropriate fields), and asking for confirmation of the site to be visited ?
Or at least allow a configurable option such as "Disallow username/password in URLs / Prompt with Dialog Box / Allow" (with the default set to Disallow). That way, advanced users would still be able to use the username:password@ syntax if they enable the option. It's actually pretty useful as a quick way to transfer files by FTP, so I hope it's still supported over FTP.
And since MS has closed-source, I can never be sure, therefore I won't use Microsoft anymore.
They're a breeding-ground of spam and everything that's out of control is their own fault due to their policies.
I don't know the meaning of the word 'don't' - J
If you are referring to the URI request for comments then you are wrong, it's not a standard. Check it out for yourself, the login syntax ([ user [ : password ] @ ] hostport) is only mentined inside of telnet:// and ftp:// not http:// or https://
Disclaimer: I use linux. I fret not.
I know you'll never become a computer security guy.
Funny, troll, that's the exact same text you posted in reply when I used "M$". And you apparently missed the point completely. I have no great hate for Microsoft's better products - I'm using two of them right now.
Microsoft IS a for-profit corporation, and that's why the M$ in my writing. As far as bashing them for unfair trade practices like unduly expoiting monopoly positions and FUD, well, when the shoe fits, sniff it, baby!
Corruptissima re publica plurimae leges.
No, because anybody that stupid can be fooled by simply having the URL go directly to the evil site.
The basic problem is that IE displays the URL "http://www.good.com/foo%00@www.evil.com/bar" as "http://www.good.com/foo" and thus completely hides the fact that it actually goes to "www.evil.com", even for an expert user. This is the bug in IE that needs to be fixed.
Even if fixed, the above URL would certainly fool a lot of people that it goes to "good.com". All browsers today seem vulnerable to this. So some solution is necessary.
My recommended solution is to preview starting with the '@' sign so the user sees "@www.evil.com/bar". This also has the nice effect of hiding the username & password for (obviously extremely weak) security.
I do think Microsoft's solution is about the stupidest thing they can do after the "do nothing" solution. I find it hard to believe they cannot fix their status bar preview, this would indicate the innards are such a horrible mess of spagetti that they cannot make even simple changes and they had to attack the only single point of entry which is where the http get command is processed.
Of course the '@' is not a standard, but neither is ActiveX and Microsoft does not seem to be removing that. Saying that it is ok because it is not an official standard is stupid. It will break plenty of sites.
I think this fix is a great thing. Now when my friends say "The porn sites won't work anymore" I can say "Here Try this"
Finally Microsoft gives me a perfect answer to "But why should I switch?" questions.
It's MUCH harder to change your bank than to patch your browser. While you might still be in the student phase of life where you've got nothing but some pizza and beer money in the account, and hence not much to transfer to another bank, it can be a real pain if you have something like, say, a mortgage on a house. If you do, you have two options:
1) Refininance at a new bank. This can cost you money, and, if intrest rates go up, give you a wrose rate.
2) Move your checking/savings, and leave your mortgage, which means you need to do bussiness with two banks.
Idealism with browers is all well and good but there are real world concerns with simply telling a bank to stick it in many cases.
Some banks just suffer from a case of being stupid with browsers. One of my coworkers had a bank like that. They actually supported netscape too, but thing was they did NOT support Mozilla. I've a feeling it would actually have worked fine, but their little script checked the browser ID and refused to let him try and log in.
"Some URL schemes". That doesn't explicitly allow it in HTTP as it was already disallowed in RFC 1738. To me that's saying some URL schemes (like FTP for instance) allow it, but it's not recommended. I have only seen one instance where some has tried to use http://username@password:hostname format at work, but it obviously didn't work because our security proxy closely follows the RFC and doesn't allow it. It wasn't a huge deal as they just needed to type in their basic authentication information into a popup box. This is a good thing that IE doesn't support such an obviously broken syntax. For what it's worth, it really doesn't matter if it's in the RFC or not... If IE supports it then people will use it. If it doesn't then people won't. IE is the top browser these days boys and it can write it's own rules.
Now it is really bad when they rely on you turning on ActiveX or something else insecure making your PC even more vulnerable to trojans!
I run Linux at home, but I still don't dare use netbanking (also because I have had insights into the system my bank uses from my professional life).
I considered getting an account in another bank where they don't rely so much on your PC to be secure: Once in a while they snail mail you a small physical card with a table of random numbers on it. When you want to do a transfer of money it asks you to look up into the table and type in the corresponding number. This way they can make sure you not only know the password but also have the physical card. Thus if a cracker takes over your PC they can't transfer money from your account anyway - only see what you have on your account. This solution is ofcourse not very elegant but it is much more secure than what any of the other banks can offer.