Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Security Patch Fixes URL Security Flaw

Posted by ryuzaki0 on from the no-more-typing-URLs dept.

loteck writes "Microsoft has just released Security Update 832894. According to their official information, it affects all NT kernel versions of Windows and most versions of Internet Explorer. Here's a rundown of the important fixes, notably 'A vulnerability that involves the incorrect parsing of URLs that contain special characters' in Internet Explorer, as previously discussed on Slashdot."

5 of 545 comments (clear)

  1. Why is URL parsing code in the kernel? by Mr.+McGibby · · Score: 5, Interesting

    The files that this patch affects reveal a little tidbit of info about how Windows is put together and it makes one ask the question:

    Why the hell does this require a kernel patch?

    --
    Mad Software: Rantings on Developing So
    1. Re:Why is URL parsing code in the kernel? by Tuxedo+Jack · · Score: 5, Interesting

      Because they forced IE to integrate into the shell. Of course, there's IEliminate and similar programs which will shred IE from the system and strip any references to it from various places, and if you install IE6 off the NIS2003 disc, you can edit the install.ini file's ShellIntegration value (set it to 0), and you can use Firebird for everything else.

      --

      Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
  2. Re:Wow Security update # 832894 by Oroborus · · Score: 5, Interesting

    Just fyi: the update number comes from the number identifying the knowledgebase article where the problem is first identified.

  3. Re:the needed patch by tupps · · Score: 5, Interesting

    Grab Mozilla/Opera/Whatever and use Tabs for a little while. I cannot use any browser now without tabs. Having 10 pages open is no problem, and it is great when you come to a site and need to look at 10 different articles that might interest you (eg Slashdot front page). Also Mozilla has a pretty extensive scripting language behind it. I beleive that the Calendar module is written purely in that scripting language. Thanks Luke

    --
    Go out and get sailing!
  4. Re:Does this mean by gunpowder · · Score: 5, Interesting

    I love people referencing to some RFC, but then not reading it themselves :-P

    You said "the user:pass@host" scheme is optional. This is right and wrong. This is described in Section 3.1 of RFC 1738, which describes the Common Internet Scheme Syntax, or the general form that URL can take.

    The user:pass@host scheme is described as "optional" in the meaning that specific URL schemes can make use of them or not. A URL scheme can decide not to adopt/allow the 'user:pass@host' scheme at all.
    Specific URL schemes for FTP, HTTP, MAILTO etc. are defined in Sections 3.2 - 3.11. These Sections describe what is allowed for each URL scheme (protocol ) and not.

    Let's look at HTTP (excerpt from the RFC):


    An HTTP URL takes the form:

    http://<host>:<port>/<path>?<searchpart>

    where and are as described in Section 3.1. If :<port>
    is omitted, the port defaults to 80. No user name or password is
    allowed.


    Also your remark "They're just being dumb. As usual." is wrong.
    Actually they finally conform to a open specification!