Slashdot Mirror
Microsoft Security Patch Fixes URL Security Flaw
loteck writes "Microsoft has just released Security Update 832894. According to their official information, it affects all NT kernel versions of Windows and most versions of Internet Explorer. Here's a rundown of the important fixes, notably 'A vulnerability that involves the incorrect parsing of URLs that contain special characters' in Internet Explorer, as previously discussed on Slashdot."
The files that this patch affects reveal a little tidbit of info about how Windows is put together and it makes one ask the question:
Why the hell does this require a kernel patch?
Mad Software: Rantings on Developing So
Patches..."A vulnerability that involves the incorrect parsing of URLs that contain special characters. When combined with a misuse of the basic authentication feature that has "username:password@" at the beginning of a URL, this vulnerability could result in a misrepresentation of the URL in the address bar of an Internet Explorer window."
I can't believe it takes Microsoft so long to fix major flaws like this. Honestly, why does it take 60,000 programmers 60 days to fix an IE URL error?
http://tomgould.com/
Every product has security vulnerabilities that are exposed to the public from time to time.... However, Microsoft seems to be the King of insecure. This is yet another example. And old news at that. The problem with Microsoft is the length of time they take to fix such horrid flaws in their software. They've had many months to produce a patch for this, and countless Microsoft users have suffered as a result. Good job, Microsoft, for proving you are a proud supporter of capitalism. You've managed to make a select few extremely wealthy by ripping off your users, using a slew of vulnerabilities that are continually left unchecked for extended periods of time. It's sad, really, Microsoft doesn't even care about the bad press anymore. They're immune to it, everyone knows their products are insecure and feel they have no alternative choice. That's going to change someday, and Microsoft is going to have to actually earn their customers by providing good [secure] products and services then. Though, I doubt it will ever matter - really. Microsoft is simply too large and too wealthy - even if no one ever bought another Microsoft product again - the company could survive forever just on it's current assets. Talk about a load of smelly poo...
Just fyi: the update number comes from the number identifying the knowledgebase article where the problem is first identified.
This Internet Explorer cumulative update also includes a change to the functionality of a Basic Authentication feature in Internet Explorer. The update removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or Windows Explorer after you install this software update:
http(s)://username:password@server/resource.ext
Unfortunatly this isn't fixed as it should be, ie you're shown the entire link in the address bar and maybe even given a warning when you go to the site. Instead they fixed this by not allowing the '@' character in addresses as was suggested they might here. Hadn't they been saying previously that problem this was unfixable presumably the reason for disallowing the '@' alltogether rather than a real fix. I have two questions, first what kind of codebase do they have that they can't make a real fix?!? Sure it might be a bit of a pain but it's obviously possible since no other browser is affected (heck I even tried IE for mac yesterday and it handled it perfectly!). They obviously handle the url properly at some point since you visit the proper site, they should be able to display the url properly!
Next, what is the effect of them deprecating the '@' tag? I don't recall ever seeing this in the wild and can't really see a lot of use in microsoft.com@slashdot.org, of course the example they give is username:password but I can't see any real site displaying the password in plaintext in the url, does anyone have an example of where this is used and what the effects will be?
I stole this Sig
Think Firebird. I hated Mozilla, loved Firebird. :)
Grab Mozilla/Opera/Whatever and use Tabs for a little while. I cannot use any browser now without tabs. Having 10 pages open is no problem, and it is great when you come to a site and need to look at 10 different articles that might interest you (eg Slashdot front page). Also Mozilla has a pretty extensive scripting language behind it. I beleive that the Calendar module is written purely in that scripting language. Thanks Luke
Go out and get sailing!
And before anyone tries to call me lazy, I challenge any mouse-wheel addicted user to disable the wheel.
...yeah, that ought to do it. :)
Challenge met, sir, let me get my hammer...
*whomp* *whomp* *WHOMP*
And while I appreciate that you enjoy the features you list above (fav's in folders, taskbar access, toolbar mobility) they're not for everyone. Me, for example - I tend to struggle with Microsoft's 'You Must Double-Click A Lot To Get Your File Structure Sorted' hierarchy, and all those damn toolbars just eat space on my not-so-high resolution screen. To each their own, I suppose.
Anyways, if you haven't already, try Firebird - you lose some of the things you like, but the UI is about as intuitive as any I've used, especially in Linux. Cut-n-pasting URLs into new tabs with four mouse clicks and a whammy on the NumPad key just looks cool.
But what does my opinion matter, I just vote here. It's not like I have any money or anything.
Not sure what you were looking for specifically, but the user:pass@host scheme is defined in RFC 1738.
And, no, they're not breaking the spec. It's optional:
Some or all of the parts ":@", ":", ":", and "/" may be excluded.
They're just being dumb. As usual.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
This just points out the fundamental flaw of Windows Update: a smart hacker would attack the update process that's used to harden the system.
Just wait.
If : is omitted, the port defaults to 80. No user name or password is allowed. is an HTTP selector, and is a query string. The is optional, as is the and its preceding "?". If neither nor is present, the "/" may also be omitted.
They are conforming to the RFC. Username/Password is a hack. First people complain that IE doesn't follow RFC, and when they do, you still fucking complain.
Have you ever been to a turkish prison?
I just canceled a credit card with MBNA because they added a browser sniffer that kept telling me I had "an older version of Netscape" and I needed to upgrade. Wouldn't let me into the site on FB 0.7 on Linux, so I sent them a nice little "fuck you too" cancel request explaining that their site is broken and that's why I'm canceling.
And yes, the site worked just fine in FB 0.7 once I sent an IE 6.0 UA.
I make it a point to relentlessly hound businesses that pull that little stunt. I also post their links on Open Source boards so everyone can get a shot at them. And don't tell me it's childish or rude or anything else - if they hadn't intentionally broken the site in the first place I wouldn't be obligated to tell everyone that the site is crippled. If they can't even hire half-competent web designers (or, more likely, if their management weren't typically incompetent and it actually listened to the web designers) why should I assume that they're capable of handling something as complex as my banking? They're cutting corners there, where else might they be?
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
I love people referencing to some RFC, but then not reading it themselves :-P
:<port>
You said "the user:pass@host" scheme is optional. This is right and wrong. This is described in Section 3.1 of RFC 1738, which describes the Common Internet Scheme Syntax, or the general form that URL can take.
The user:pass@host scheme is described as "optional" in the meaning that specific URL schemes can make use of them or not. A URL scheme can decide not to adopt/allow the 'user:pass@host' scheme at all.
Specific URL schemes for FTP, HTTP, MAILTO etc. are defined in Sections 3.2 - 3.11. These Sections describe what is allowed for each URL scheme (protocol ) and not.
Let's look at HTTP (excerpt from the RFC):
An HTTP URL takes the form:
http://<host>:<port>/<path>?<searchpart>
where and are as described in Section 3.1. If
is omitted, the port defaults to 80. No user name or password is
allowed.
Also your remark "They're just being dumb. As usual." is wrong.
Actually they finally conform to a open specification!
It's MUCH harder to change your bank than to patch your browser.
Yes, it is. You should try the "fake user agent" patches that others have suggested, for example; they usually come in the cross-platform installer (.xpi) format that Mozilla and Firebird can install in two clicks.
While you might still be in the student phase of life where you've got nothing but some pizza and beer money in the account, and hence not much to transfer to another bank
Nice wisecrack, but you don't need to feign concern; I don't drink and I've got a few years pizza money saved up should it come to that.
When I do get a home mortgage, though, could you let me know which banks I ought to be avoiding? For such a serious concern it's odd how abstract this whole thread is. A brief "I banked with X, their website doesn't suppor Mozilla, and when I tried contacting their webmaster and using a user-agent faker the results were Y and Z" would be helpful.