Slashdot Mirror
Microsoft Security Patch Fixes URL Security Flaw
loteck writes "Microsoft has just released Security Update 832894. According to their official information, it affects all NT kernel versions of Windows and most versions of Internet Explorer. Here's a rundown of the important fixes, notably 'A vulnerability that involves the incorrect parsing of URLs that contain special characters' in Internet Explorer, as previously discussed on Slashdot."
The files that this patch affects reveal a little tidbit of info about how Windows is put together and it makes one ask the question:
Why the hell does this require a kernel patch?
Mad Software: Rantings on Developing So
Patches..."A vulnerability that involves the incorrect parsing of URLs that contain special characters. When combined with a misuse of the basic authentication feature that has "username:password@" at the beginning of a URL, this vulnerability could result in a misrepresentation of the URL in the address bar of an Internet Explorer window."
I can't believe it takes Microsoft so long to fix major flaws like this. Honestly, why does it take 60,000 programmers 60 days to fix an IE URL error?
http://tomgould.com/
Every product has security vulnerabilities that are exposed to the public from time to time.... However, Microsoft seems to be the King of insecure. This is yet another example. And old news at that. The problem with Microsoft is the length of time they take to fix such horrid flaws in their software. They've had many months to produce a patch for this, and countless Microsoft users have suffered as a result. Good job, Microsoft, for proving you are a proud supporter of capitalism. You've managed to make a select few extremely wealthy by ripping off your users, using a slew of vulnerabilities that are continually left unchecked for extended periods of time. It's sad, really, Microsoft doesn't even care about the bad press anymore. They're immune to it, everyone knows their products are insecure and feel they have no alternative choice. That's going to change someday, and Microsoft is going to have to actually earn their customers by providing good [secure] products and services then. Though, I doubt it will ever matter - really. Microsoft is simply too large and too wealthy - even if no one ever bought another Microsoft product again - the company could survive forever just on it's current assets. Talk about a load of smelly poo...
Just fyi: the update number comes from the number identifying the knowledgebase article where the problem is first identified.
This Internet Explorer cumulative update also includes a change to the functionality of a Basic Authentication feature in Internet Explorer. The update removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or Windows Explorer after you install this software update:
http(s)://username:password@server/resource.ext
Unfortunatly this isn't fixed as it should be, ie you're shown the entire link in the address bar and maybe even given a warning when you go to the site. Instead they fixed this by not allowing the '@' character in addresses as was suggested they might here. Hadn't they been saying previously that problem this was unfixable presumably the reason for disallowing the '@' alltogether rather than a real fix. I have two questions, first what kind of codebase do they have that they can't make a real fix?!? Sure it might be a bit of a pain but it's obviously possible since no other browser is affected (heck I even tried IE for mac yesterday and it handled it perfectly!). They obviously handle the url properly at some point since you visit the proper site, they should be able to display the url properly!
Next, what is the effect of them deprecating the '@' tag? I don't recall ever seeing this in the wild and can't really see a lot of use in microsoft.com@slashdot.org, of course the example they give is username:password but I can't see any real site displaying the password in plaintext in the url, does anyone have an example of where this is used and what the effects will be?
I stole this Sig
Think Firebird. I hated Mozilla, loved Firebird. :)
Grab Mozilla/Opera/Whatever and use Tabs for a little while. I cannot use any browser now without tabs. Having 10 pages open is no problem, and it is great when you come to a site and need to look at 10 different articles that might interest you (eg Slashdot front page). Also Mozilla has a pretty extensive scripting language behind it. I beleive that the Calendar module is written purely in that scripting language. Thanks Luke
Go out and get sailing!
Not sure what you were looking for specifically, but the user:pass@host scheme is defined in RFC 1738.
And, no, they're not breaking the spec. It's optional:
Some or all of the parts ":@", ":", ":", and "/" may be excluded.
They're just being dumb. As usual.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
This just points out the fundamental flaw of Windows Update: a smart hacker would attack the update process that's used to harden the system.
Just wait.
If : is omitted, the port defaults to 80. No user name or password is allowed. is an HTTP selector, and is a query string. The is optional, as is the and its preceding "?". If neither nor is present, the "/" may also be omitted.
They are conforming to the RFC. Username/Password is a hack. First people complain that IE doesn't follow RFC, and when they do, you still fucking complain.
Have you ever been to a turkish prison?
I just canceled a credit card with MBNA because they added a browser sniffer that kept telling me I had "an older version of Netscape" and I needed to upgrade. Wouldn't let me into the site on FB 0.7 on Linux, so I sent them a nice little "fuck you too" cancel request explaining that their site is broken and that's why I'm canceling.
And yes, the site worked just fine in FB 0.7 once I sent an IE 6.0 UA.
I make it a point to relentlessly hound businesses that pull that little stunt. I also post their links on Open Source boards so everyone can get a shot at them. And don't tell me it's childish or rude or anything else - if they hadn't intentionally broken the site in the first place I wouldn't be obligated to tell everyone that the site is crippled. If they can't even hire half-competent web designers (or, more likely, if their management weren't typically incompetent and it actually listened to the web designers) why should I assume that they're capable of handling something as complex as my banking? They're cutting corners there, where else might they be?
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
I love people referencing to some RFC, but then not reading it themselves :-P
:<port>
You said "the user:pass@host" scheme is optional. This is right and wrong. This is described in Section 3.1 of RFC 1738, which describes the Common Internet Scheme Syntax, or the general form that URL can take.
The user:pass@host scheme is described as "optional" in the meaning that specific URL schemes can make use of them or not. A URL scheme can decide not to adopt/allow the 'user:pass@host' scheme at all.
Specific URL schemes for FTP, HTTP, MAILTO etc. are defined in Sections 3.2 - 3.11. These Sections describe what is allowed for each URL scheme (protocol ) and not.
Let's look at HTTP (excerpt from the RFC):
An HTTP URL takes the form:
http://<host>:<port>/<path>?<searchpart>
where and are as described in Section 3.1. If
is omitted, the port defaults to 80. No user name or password is
allowed.
Also your remark "They're just being dumb. As usual." is wrong.
Actually they finally conform to a open specification!