Slashdot Mirror
Microsoft Security Patch Fixes URL Security Flaw
loteck writes "Microsoft has just released Security Update 832894. According to their official information, it affects all NT kernel versions of Windows and most versions of Internet Explorer. Here's a rundown of the important fixes, notably 'A vulnerability that involves the incorrect parsing of URLs that contain special characters' in Internet Explorer, as previously discussed on Slashdot."
I'm supprised we still post this stuff. It's a never-ending saga. People find massive holes in IE. Microsoft ignores problems. People exploit problem. Microsoft, slowly, responds. Why does half of Slashdot's users still use Internet Exploiter? Get the monkey off your back, switch to Mozilla Firebird. :)
Will Stokes Album Shaper http://albumshaper.sf.net
Read the new knowledge base article for more goodies. They say URL's in username:password format are no longer supported -- I read that as they removed the support for the format to fix the bug! And then read how they suggest to switch scripting (ActiveX?) to prompt before running. So with IE, they no longer have the URL parameters other browsers safely support, and you have to wade through a bunch of "Scripts are normally safe? Run anyways?" popups. =/ Don't seem like a solution for me.
Considering IE is less secure than Mozilla it's alarming to me that any bank would "require" it.
Yes, I'm a little surprised there hasn't been more of a fuss over this.
Is this really the best Microsoft can do ?
Whenever a URL with an "xxx[:yyy]@" prefix is clicked or entered, why couldn't they pop up a login dialog box, specifying the name of the site (WITHOUT the xxx[:yyy]@ prefix), filling in the user name and password (i.e. the "xxx" and "yyy" in the appropriate fields), and asking for confirmation of the site to be visited ?
Or at least allow a configurable option such as "Disallow username/password in URLs / Prompt with Dialog Box / Allow" (with the default set to Disallow). That way, advanced users would still be able to use the username:password@ syntax if they enable the option. It's actually pretty useful as a quick way to transfer files by FTP, so I hope it's still supported over FTP.
No, because anybody that stupid can be fooled by simply having the URL go directly to the evil site.
The basic problem is that IE displays the URL "http://www.good.com/foo%00@www.evil.com/bar" as "http://www.good.com/foo" and thus completely hides the fact that it actually goes to "www.evil.com", even for an expert user. This is the bug in IE that needs to be fixed.
Even if fixed, the above URL would certainly fool a lot of people that it goes to "good.com". All browsers today seem vulnerable to this. So some solution is necessary.
My recommended solution is to preview starting with the '@' sign so the user sees "@www.evil.com/bar". This also has the nice effect of hiding the username & password for (obviously extremely weak) security.
I do think Microsoft's solution is about the stupidest thing they can do after the "do nothing" solution. I find it hard to believe they cannot fix their status bar preview, this would indicate the innards are such a horrible mess of spagetti that they cannot make even simple changes and they had to attack the only single point of entry which is where the http get command is processed.
Of course the '@' is not a standard, but neither is ActiveX and Microsoft does not seem to be removing that. Saying that it is ok because it is not an official standard is stupid. It will break plenty of sites.