Slashdot Mirror
Microsoft Security Patch Fixes URL Security Flaw
loteck writes "Microsoft has just released Security Update 832894. According to their official information, it affects all NT kernel versions of Windows and most versions of Internet Explorer. Here's a rundown of the important fixes, notably 'A vulnerability that involves the incorrect parsing of URLs that contain special characters' in Internet Explorer, as previously discussed on Slashdot."
The files that this patch affects reveal a little tidbit of info about how Windows is put together and it makes one ask the question:
Why the hell does this require a kernel patch?
Mad Software: Rantings on Developing So
Patches..."A vulnerability that involves the incorrect parsing of URLs that contain special characters. When combined with a misuse of the basic authentication feature that has "username:password@" at the beginning of a URL, this vulnerability could result in a misrepresentation of the URL in the address bar of an Internet Explorer window."
I can't believe it takes Microsoft so long to fix major flaws like this. Honestly, why does it take 60,000 programmers 60 days to fix an IE URL error?
http://tomgould.com/
I just reload the OS (if you can call it that) every month.
It's also been a hotter-than-usual topic on Usenet. There really seemed to be a mass exodus from IE over the last couple of weeks, perhaps due to what people feel is blatant neglect by Microsoft.
I left IE as well last week, opting instead for Opera, and really couldn't be happier. Screw 'em, I want my tabbed browsing!
This incident, by the way, is why open source will continue to gain ground. There are no marketing nitwits working as gatekeepers.
HPC for Primates. Read Cluster Monkey
Arbitrary decisions to alter the working of the internet just like this seem very incorrect to me. Wouldn't some kind of warning suffice?
Like, - or something like that...
Every product has security vulnerabilities that are exposed to the public from time to time.... However, Microsoft seems to be the King of insecure. This is yet another example. And old news at that. The problem with Microsoft is the length of time they take to fix such horrid flaws in their software. They've had many months to produce a patch for this, and countless Microsoft users have suffered as a result. Good job, Microsoft, for proving you are a proud supporter of capitalism. You've managed to make a select few extremely wealthy by ripping off your users, using a slew of vulnerabilities that are continually left unchecked for extended periods of time. It's sad, really, Microsoft doesn't even care about the bad press anymore. They're immune to it, everyone knows their products are insecure and feel they have no alternative choice. That's going to change someday, and Microsoft is going to have to actually earn their customers by providing good [secure] products and services then. Though, I doubt it will ever matter - really. Microsoft is simply too large and too wealthy - even if no one ever bought another Microsoft product again - the company could survive forever just on it's current assets. Talk about a load of smelly poo...
Just fyi: the update number comes from the number identifying the knowledgebase article where the problem is first identified.
This Internet Explorer cumulative update also includes a change to the functionality of a Basic Authentication feature in Internet Explorer. The update removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or Windows Explorer after you install this software update:
http(s)://username:password@server/resource.ext
Unfortunatly this isn't fixed as it should be, ie you're shown the entire link in the address bar and maybe even given a warning when you go to the site. Instead they fixed this by not allowing the '@' character in addresses as was suggested they might here. Hadn't they been saying previously that problem this was unfixable presumably the reason for disallowing the '@' alltogether rather than a real fix. I have two questions, first what kind of codebase do they have that they can't make a real fix?!? Sure it might be a bit of a pain but it's obviously possible since no other browser is affected (heck I even tried IE for mac yesterday and it handled it perfectly!). They obviously handle the url properly at some point since you visit the proper site, they should be able to display the url properly!
Next, what is the effect of them deprecating the '@' tag? I don't recall ever seeing this in the wild and can't really see a lot of use in microsoft.com@slashdot.org, of course the example they give is username:password but I can't see any real site displaying the password in plaintext in the url, does anyone have an example of where this is used and what the effects will be?
I stole this Sig
The irony here is that Firebird probably works on VDs only because it _only_ uses _documented_ WIN32 APIs.
:)
When you expose things to the outside, you have to make them work. Not so for the inside hacks. Too bad
Karma cannot be described by words alone.
Think Firebird. I hated Mozilla, loved Firebird. :)
Grab Mozilla/Opera/Whatever and use Tabs for a little while. I cannot use any browser now without tabs. Having 10 pages open is no problem, and it is great when you come to a site and need to look at 10 different articles that might interest you (eg Slashdot front page). Also Mozilla has a pretty extensive scripting language behind it. I beleive that the Calendar module is written purely in that scripting language. Thanks Luke
Go out and get sailing!
And before anyone tries to call me lazy, I challenge any mouse-wheel addicted user to disable the wheel.
...yeah, that ought to do it. :)
Challenge met, sir, let me get my hammer...
*whomp* *whomp* *WHOMP*
And while I appreciate that you enjoy the features you list above (fav's in folders, taskbar access, toolbar mobility) they're not for everyone. Me, for example - I tend to struggle with Microsoft's 'You Must Double-Click A Lot To Get Your File Structure Sorted' hierarchy, and all those damn toolbars just eat space on my not-so-high resolution screen. To each their own, I suppose.
Anyways, if you haven't already, try Firebird - you lose some of the things you like, but the UI is about as intuitive as any I've used, especially in Linux. Cut-n-pasting URLs into new tabs with four mouse clicks and a whammy on the NumPad key just looks cool.
But what does my opinion matter, I just vote here. It's not like I have any money or anything.
Not sure what you were looking for specifically, but the user:pass@host scheme is defined in RFC 1738.
And, no, they're not breaking the spec. It's optional:
Some or all of the parts ":@", ":", ":", and "/" may be excluded.
They're just being dumb. As usual.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
Yeah, really...why do you ask?
/.'ers seem to get technological tunnel vision, so here's a few hints on what the average user is really like:
Since
1. They are convinced the monitor is actually the computer. I don't know what they think that big tower does, but since they have it piled high with boxes, blankets, and it holds up their space heater, they've more than likely forgotten that its there.
2. They have cable / dsl that they use to connect to aol and they have absolutely no firewalls or virus protection.
3. They have no clue what a modem does versus what a network card does, but they do like to pick up on words they saw in the Best Buy ad, thereby running around saying "Why yes, I just recently upgraded my ethernet to thumb-drive."
4. They have no idea that windows update even exists, regardless of how annoying that systray icon becomes.
5. They've never heard of Linux, except maybe in that one IBM ad, but as its an IBM ad, they aren't going to bother to find out.
So they are "ignorant and lazy" as you say, but not everyone was blessed with your incredible technological ability at birth.
slashdot, news for crazed liberal socialist zealots
I use K-Meleon on a daily basis. It's my secondary browser next to monolithic Mozilla. (Firebird fills no niche that the combo of Mozilla and K-Meleon doesn't do better, IMHO.)
It's great (nice and fast even on old PCs that can't run Mozilla or Firebird at adequate speed), but it lacks functionality and polish compared to vanilla Mozilla. It's very extensible if your idea of extensibility is messing around with config files, however.
One thing that sucks is the menus. "Rebar" = ugly hack (you can't use alt shortcuts to activate the menus unless you turn rebar OFF). Also, I don't like its version of tabs. Creating, closing, or switching between "layers" (tabs) causes the window's taskbar tab to move to the rightmost side of the Windows taskbar. Not good.
Don't get me wrong - for some uses, it's the best browser out there. But it's not for everybody, and for those who would use it regularly, it takes even more configuration time to tune/fix than other browsers do.
This just points out the fundamental flaw of Windows Update: a smart hacker would attack the update process that's used to harden the system.
Just wait.
If : is omitted, the port defaults to 80. No user name or password is allowed. is an HTTP selector, and is a query string. The is optional, as is the and its preceding "?". If neither nor is present, the "/" may also be omitted.
They are conforming to the RFC. Username/Password is a hack. First people complain that IE doesn't follow RFC, and when they do, you still fucking complain.
Have you ever been to a turkish prison?
I just canceled a credit card with MBNA because they added a browser sniffer that kept telling me I had "an older version of Netscape" and I needed to upgrade. Wouldn't let me into the site on FB 0.7 on Linux, so I sent them a nice little "fuck you too" cancel request explaining that their site is broken and that's why I'm canceling.
And yes, the site worked just fine in FB 0.7 once I sent an IE 6.0 UA.
I make it a point to relentlessly hound businesses that pull that little stunt. I also post their links on Open Source boards so everyone can get a shot at them. And don't tell me it's childish or rude or anything else - if they hadn't intentionally broken the site in the first place I wouldn't be obligated to tell everyone that the site is crippled. If they can't even hire half-competent web designers (or, more likely, if their management weren't typically incompetent and it actually listened to the web designers) why should I assume that they're capable of handling something as complex as my banking? They're cutting corners there, where else might they be?
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
Slashdot is the best use of tabs I've found to date. I LOVE being able to open a new tab with the "Reply to This" links. Another awesome use is when spillover occurs and I can't see all the comments I want to. I can just hit the "x comments below..." links to open them in new tabs, then close the tabs down as I read up through the "hidden" posts in a long thread. Since the tabs open chronologically (unlike windows which just sort of scatter), this works REALLY well.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
I did, but had to switch back because of a security flaw. I posted to Bugzilla and the developers bumped the severity up to "Major". Here I am almost three months later still waiting for a problem the developers consider major to be fixed. It would seem that the only real progress they've made is the vocabulary used when slandering Microsoft.
-Lucas
I love people referencing to some RFC, but then not reading it themselves :-P
:<port>
You said "the user:pass@host" scheme is optional. This is right and wrong. This is described in Section 3.1 of RFC 1738, which describes the Common Internet Scheme Syntax, or the general form that URL can take.
The user:pass@host scheme is described as "optional" in the meaning that specific URL schemes can make use of them or not. A URL scheme can decide not to adopt/allow the 'user:pass@host' scheme at all.
Specific URL schemes for FTP, HTTP, MAILTO etc. are defined in Sections 3.2 - 3.11. These Sections describe what is allowed for each URL scheme (protocol ) and not.
Let's look at HTTP (excerpt from the RFC):
An HTTP URL takes the form:
http://<host>:<port>/<path>?<searchpart>
where and are as described in Section 3.1. If
is omitted, the port defaults to 80. No user name or password is
allowed.
Also your remark "They're just being dumb. As usual." is wrong.
Actually they finally conform to a open specification!
anyone know if replacing @ with %40 works?
the only reason i use ie, well 2 reasons, but the main one is that when i put in d: into the address bar, it automagically turns into windows explorer so i can view files and stuff.
also mozilla renders the page as its being downloaded and IE does it after its downloaded. so when i get a webpage in mozilla i have a bunch of images and shit loading. In IE i have a whole page albiet it takes a few seconds longer but it makes it alot prettier.
I'll just use my special getting high powers one more time...
It's MUCH harder to change your bank than to patch your browser.
Yes, it is. You should try the "fake user agent" patches that others have suggested, for example; they usually come in the cross-platform installer (.xpi) format that Mozilla and Firebird can install in two clicks.
While you might still be in the student phase of life where you've got nothing but some pizza and beer money in the account, and hence not much to transfer to another bank
Nice wisecrack, but you don't need to feign concern; I don't drink and I've got a few years pizza money saved up should it come to that.
When I do get a home mortgage, though, could you let me know which banks I ought to be avoiding? For such a serious concern it's odd how abstract this whole thread is. A brief "I banked with X, their website doesn't suppor Mozilla, and when I tried contacting their webmaster and using a user-agent faker the results were Y and Z" would be helpful.
Not sure if anyone else noticed, but this "security fix" seems to of mysteriously fixed the page down problem in IE which would cause the browser scroll down two pages at a time.
Anyone else see this?
if the mailto://user@host.tld works in IE with this fix ?
RTFA tells me that "@" in an HTTP url is now considered to have an invalid syntax. Is this the case with the mailto protocol also ?
TIA.