Slashdot Mirror
Microsoft Security Patch Fixes URL Security Flaw
loteck writes "Microsoft has just released Security Update 832894. According to their official information, it affects all NT kernel versions of Windows and most versions of Internet Explorer. Here's a rundown of the important fixes, notably 'A vulnerability that involves the incorrect parsing of URLs that contain special characters' in Internet Explorer, as previously discussed on Slashdot."
I can stop typing in all my links by hand?
Oh wait- I use Mozilla. I didn't need to do that anyway.
I still have more fans than freaks. WTF is wrong with you people?
hm... they should patch IE up to be mozilla for example... that could be called a patch...
Aure entuluva!
I am sure M$FT will spin it as if this is an innovative feature.
S
Now check your in-boxes and make the InterWeb a Safer Place TM.
Nice try Microsoft. I'm not clicking links while running IE, as per your instructions!
I wonder what happened to the other 832893 security updates?
I'm supprised we still post this stuff. It's a never-ending saga. People find massive holes in IE. Microsoft ignores problems. People exploit problem. Microsoft, slowly, responds. Why does half of Slashdot's users still use Internet Exploiter? Get the monkey off your back, switch to Mozilla Firebird. :)
Will Stokes Album Shaper http://albumshaper.sf.net
is there a direct link to this patch? tnx
So why is MS posting this? Nothing in this seems like it can't wait 8 days...
Oh and for all of you who don't use Windows SUS - why not? I'm going to patch 350 machines with 5 clicks later this week. Stop your bitchin and get better tools.
Please Mr. Gates, calm down, relax, breath deeply.
As much as I love the mozilla browser, the fact remains that IE is the dominant browser out there and the easiest to install for Windows users hence this is great, important news. Now to start downloading the patch.
The files that this patch affects reveal a little tidbit of info about how Windows is put together and it makes one ask the question:
Why the hell does this require a kernel patch?
Mad Software: Rantings on Developing So
I was under the impression that their fix was simply make http(s)://user:password@www.address.net invalid. If so, that's not so much a fix, as just deciding to break some functionality. Can someone confirm that this is what the "fix" actually is?
Jedidiah
Craft Beer Programming T-shirts
I switched away from IE a while ago because the browser windows would mysteriously disappear while using Microsoft's own Virtual Desktop Manager. Firebird works fine with it. It's ironic that Firebird integrates more well with one of MS's products than MS's own product does.
There's always the fact that those of us who want to use this bug to, say, show "grades" to our "parents" online will keep this unpatched, thus allowing us to give them our "real" grades without the wonders of Photoshop or Fireworks or the GIMP.
Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
notably 'A vulnerability that involves the incorrect parsing of URLs that contain special characters' in Internet Explorer
/.
So now all those goatse URL's finally parse back to the trolls at
Rule #1 -- Politics always trumps technology.
Patches..."A vulnerability that involves the incorrect parsing of URLs that contain special characters. When combined with a misuse of the basic authentication feature that has "username:password@" at the beginning of a URL, this vulnerability could result in a misrepresentation of the URL in the address bar of an Internet Explorer window."
I can't believe it takes Microsoft so long to fix major flaws like this. Honestly, why does it take 60,000 programmers 60 days to fix an IE URL error?
http://tomgould.com/
So you don't have to match up the knowledge base numbers in WindowsUpdate:
Here
Here
Here
Here
There are a huge number of yeast infections in this county. Probably because we're downriver from the bread factory.
I saw it on tv last night. I think it was
f eb/en/?&mid=2304520392lHKJH09728037420987&dll=LKJ2 3L4SD09UVC9432J5JS-9UDFLKJN345U9SLKJ4L5U0SJCS4
http://microsoft.com/download/patch/win32/2004/
In other words, some email/CC#/whatever harvester decided to pull a funny and use the correction for this flaw as a way to exploit the flaw. Now that I see that the described patch is legitimate, I'm actually laughing internally at the delicious irony.
By the time my mom got the email, the target web site had already been taken down by the sysadmin of the host.
None of this is to condone the action of the scum who blasted the email, but come on, that took some balls.
That's not Bill, that's Steve, and he's displaying normal behavior, move along.
wait isn't that sorta like MikeRoweSoft? how about a patch to help us read. and after that they could hand out Opera to everyone so this never happens again. ay yai yai
Sig (appended to the end of comments you post, 120 chars)
'A vulnerability that involves the incorrect parsing of URLs that contain special characters' in Internet Explorer
Yeah, the special characters www.google.com now correctly parse to search.msn.com
LOL, it's not remotely close to over. Very few users regularly update their systems. How do you think SQL slammer was able to affect so many systems months after M$ fixed it?
-You may license this sig for only $6.99.
Once this thing finally hits 1.0 its gonna be a REAL solid piece of software. I'm glad to see they're still maintaining it regularly!
It's also been a hotter-than-usual topic on Usenet. There really seemed to be a mass exodus from IE over the last couple of weeks, perhaps due to what people feel is blatant neglect by Microsoft.
I left IE as well last week, opting instead for Opera, and really couldn't be happier. Screw 'em, I want my tabbed browsing!
it says it's cumulative patch, so it probably does more than just these few fixes, it probably does all ie related security patches post xp sp1.
>included a new clippy bmp in that ?!?! :)
no, but this patch probably involves some kernel changes which make it sobig.
Yeah, I know, mostly my comment was sarcasm. *grin*
But you're right, people don't stay nearly up to date on patches - for pretty much anything they use.
Reminds me of the time my friend couldn't get his Counter-Strike to work, and wanted me to help him. Within like two minutes, I realized he hadn't updated his video drivers.
Oy.
"This Internet Explorer cumulative update also includes a change to the functionality of a Basic Authentication feature in Internet Explorer. The update removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or Windows Explorer after you install this software update:
"
...and even though they continue to break standards, people continue to use their software. Are users that ignorant and lazy? .. Why do I even ask that question.
http(s)://username:password@server/resource.ext
[alk]
10K bug fix
2.799M new bugs
(I typed this already, but after downloading the patch my computer froze up and I'm having to retype it.)
I can't take credit for this, as I saw it on slashdot once: "64,000 bugs in the code, 64,000 bugs, whack one back with a service pack, 64,008 bugs in the code."
A feeling of having made the same mistake before: Deja Foobar
It merely removes the feature containing the flaw. For an implementation of the feature without the flaw, see http://www.mozilla.org/
This incident, by the way, is why open source will continue to gain ground. There are no marketing nitwits working as gatekeepers.
HPC for Primates. Read Cluster Monkey
"Aiee!!!", a death cry depicted in war comics?
My hyperlinks aren't worth the paper they're printed on.
Every product has security vulnerabilities that are exposed to the public from time to time.... However, Microsoft seems to be the King of insecure. This is yet another example. And old news at that. The problem with Microsoft is the length of time they take to fix such horrid flaws in their software. They've had many months to produce a patch for this, and countless Microsoft users have suffered as a result. Good job, Microsoft, for proving you are a proud supporter of capitalism. You've managed to make a select few extremely wealthy by ripping off your users, using a slew of vulnerabilities that are continually left unchecked for extended periods of time. It's sad, really, Microsoft doesn't even care about the bad press anymore. They're immune to it, everyone knows their products are insecure and feel they have no alternative choice. That's going to change someday, and Microsoft is going to have to actually earn their customers by providing good [secure] products and services then. Though, I doubt it will ever matter - really. Microsoft is simply too large and too wealthy - even if no one ever bought another Microsoft product again - the company could survive forever just on it's current assets. Talk about a load of smelly poo...
Why not just use k-meleon and be done with it? Its fast if not the fastest browser on Windows. Based on Gecko, its got all of the stuff that mozilla does, but none of the heavy GUI (K-meleon is pure MFC).
http://kmeleon.sourceforge.net
Brielle
so it probably does more than just these few fixes
Of course it does, it now gives Redmond full access to your hard drive. And they snitch to RIAA for bucks per bust.
This Internet Explorer cumulative update also includes a change to the functionality of a Basic Authentication feature in Internet Explorer. The update removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or Windows Explorer after you install this software update:
http(s)://username:password@server/resource.ext
Unfortunatly this isn't fixed as it should be, ie you're shown the entire link in the address bar and maybe even given a warning when you go to the site. Instead they fixed this by not allowing the '@' character in addresses as was suggested they might here. Hadn't they been saying previously that problem this was unfixable presumably the reason for disallowing the '@' alltogether rather than a real fix. I have two questions, first what kind of codebase do they have that they can't make a real fix?!? Sure it might be a bit of a pain but it's obviously possible since no other browser is affected (heck I even tried IE for mac yesterday and it handled it perfectly!). They obviously handle the url properly at some point since you visit the proper site, they should be able to display the url properly!
Next, what is the effect of them deprecating the '@' tag? I don't recall ever seeing this in the wild and can't really see a lot of use in microsoft.com@slashdot.org, of course the example they give is username:password but I can't see any real site displaying the password in plaintext in the url, does anyone have an example of where this is used and what the effects will be?
I stole this Sig
I know a lot of people suggest switching to Mozilla, but it's not even about Mozilla. Almost every other browser is better than IE these days. Opera, Konqueror, Mozilla, (insert other browsers here). IE hasn't had anything significant in years. It lacks basic even basic things other browsers have. Pop up blocking, tabbed browsing, the ability to stop gif ads from looping, much better basic security policies, more w3c compiant, they don't make up their own html tags, plus many many more.
IE is so horrible. It's gotten to the point that just by using IE you are pretty much guaranteed to get spyware/adware/virus. Most of the people I know who use IE have their homepage changed daily, get a new toolbar every two days, so many pop ups they have to reboot weekly, their email stolen from cookies hourly, and a partridge in a pear tree.
Since clicking on links is unsafe until we correct the link clicking bug, please open a dos prompt, run debug.exe and type in the following....
Introducing the new Occam Fusion! Now with sqrt(-1) fewer blades!
I've been using Bofa online banking for over a year now with Firebird with NO problems except one small CSS issue that appears when setting up a payee in Bill-Pay.
Instead of complaining about banks that recommend IE, move to BofA and tell your existing bank why you are moving!
"Blah blah, status quo, what can you do?"... as soon as it hurts their pockets, they'll add Mozilla support.
Don't just move for the tech though - the BofA system is very well thought out and feature rich and sells itself pretty well. I now pay all my bills through it. It even let's you send payments to individuals (I assume it mails them a check - never used it). I'm now down to writing 4 checks a month, and am hoping to eliminate those soon (I think my wife's going to take a little more coaxing though before she kicks the habit :).
cLive ;-)
-- Trinity in high heels carrying a whip: The donimatrix - there is no spoonerism
I, for one, think it's wonderful that Microsoft takes such an active interest in fixing the few security holes found in their products. And with such speed! Kudos to you, Microsoft!
Are you being ironic?
I can't even tell anymore...
Treehugger? Treehugger... Treehugger!
While everyone keeps commenting that disabling this functionality seems to break an RFC, does anyone know which one it is? It seems like the kind of thign that would be one, but after a few minutes of cursory searching I can't find a reference.
If it truly an RFC, then Firebird (and I assume Mozilla) are equally as guilty - in thefew instances where I've tried to use this functionality (mostly as bookmarks for protected pages I frequent), it has yet to work. Bugzila anyone?
Cue The Sun...
I was always amazed at how a Windows SP would replace most executables, even stuff like calc.exe etc. Either their dependencies are horribly mixed up or its "lets be safe and replace everything".
If I used IE I might feel worried. Mozilla is my friend and your friend too.
And since MS has closed-source, I can never be sure, therefore I won't use Microsoft anymore.
They're a breeding-ground of spam and everything that's out of control is their own fault due to their policies.
I don't know the meaning of the word 'don't' - J
So what's the final figure? I know Mozilla was patched right away, last I heard the IE count was over 30 days.
i threw away my mouse when they suggested no clicking on URLs. now they fsck it and i have now mouse, what am i gonna do? hmmm, i should post this as an "ask slashdot".
You need people like me so you can point your fuckin fingers and say, "That's the bad guy." So what that make you? Good?
Very informative, but there was an 'extension' to the spec, making xxx@yyy part of it
puts ("Python r0cks\n");
Turns out this behaviour is specified in RFC 1738 (Uniform Reasource Locator), where it defines a URL as being of the form:
//<user>:<password>@<host>:<port>/<url-pa th>
Although the RFC does go on to stipulate that "[s]ome or all of the parts '<user>:<password>@', ':<password>', ':<port>', and '/<url-path>' may be excluded." Oddly enough, this form is broadly defined as being the general form of URLs, but is not the form of HTTP URLs (which lack the username and password). The RFC seems to indicate that this functionality was designed with FTP in mind - anyone know if MS disabled it for all URLs, or just http ones?
Cue The Sun...
You can read the details here and here (original thread). It was caused by an update released back in November 2003.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
"...the RFC specification says that http authentication is not allowed in a http url, it is allowed in a generic URI but not for HTTP urls, this is an exception! RFC 1738 - Page 8
So, Microsoft is in fact sticking to the RFC this time, something they should have done long time ago. I have been blocking this "http authentication" in every mail I received on my domain for over a year, but when I saw the IE url obfuscation issue a few weeks back, I was amased that nobody knew this, so I thought I was wrong and that's why I didn't reply. Microsoft still gets a "D" from me for this big mess!"
Wasn't Big Bill talking about how they patched faster than the evil open source programmers not that long ago? Isn't this bug something that's been a problem for years, been know about for just as long, and been in hot debate for a couple of weeks now?
I thought so.
Seems like only lots of contraversy gets MS to update their software somtimes.
If : is omitted, the port defaults to 80. No user name or password is allowed. is an HTTP selector, and is a query string. The is optional, as is the and its preceding "?". If neither nor is present, the "/" may also be omitted.
They are conforming to the RFC. Username/Password is a hack. First people complain that IE doesn't follow RFC, and when they do, you still fucking complain.
Have you ever been to a turkish prison?
If you are referring to the URI request for comments then you are wrong, it's not a standard. Check it out for yourself, the login syntax ([ user [ : password ] @ ] hostport) is only mentined inside of telnet:// and ftp:// not http:// or https://
My university uses an Exchange 2003 server for its e-mail. Well apparently this patch breaks logon using Outlook Web Access on that server. Turns out the username and password is in the URL being sent to the server, the same thing this patch kills.
Not sure if this is the way it is with every Exchange server or if it is how my university's server is configured, but if you use OWA you might want to be careful with this patch.
Removing support for user.password@www.address.net?
I just felt the death screams of 40,000,000 porn sites across the planet.
And the FUNNIEST thing ever...
Microsoft was trying to End Of Life support for Windows 98, so they came out with this "uber-patch" "Security Update" CD just this month, that supposedly would bring Windows 98 up to the highest level of security and then with the CD, they could wash their hands of it. The CD is being mailed to ever citizen in Japan, all these customers, tons of shit, etc.
The *FUNNIEST* thing is that this fix is not in the CD (of course) and now microsoft is even BACKTRACKING on ending support for Win98 (now supposedly goes until 2006). So this CD that they spent months developing and beta testing and sending out is now worthless...
SCO: 800-726-8649
Verisign: 800-361-8319, 888-642-9675
Diebold: 800-433-VOTE (8683)
Disclaimer: I use linux. I fret not.
I know you'll never become a computer security guy.
...is the text of the update on Microsoft's Software Update Services service...
"...For example, an attacker could run programs on your computer while you view a Web page. This affects all computers with Internet Explorer installed (even if you don't run Internet Explorer as your Web browser)..."
although there's no mention of that in the KB article.
It was used to hide goatse links on k5 with such regularity that it did the unthinkable - prompted rusty to make a change to scoop.
Making the moon less necessary since 1998.
Windows 98 is supposed to continue to get security updates, and what about Windows Me?
Neither of those are listed as being supported by the update.
If we have this many security flaws now, what will it be like when microsux sends the majority of their programming jobs overseas? Kinda like... I know, lets have terrorist sympathisers write our crap! Good one(?)... Roger that Bill.
gllshhht...
Yes, but they did provide warning:
k b; [LN];834489
http://support.microsoft.com/default.aspx?scid=
Note that this KB article was changed today to reflect that it is indeed in this patch, however, this article has been up since Early January or so...
Not that I think it's the right way to do things, but they did provide some warning that it was coming.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
From the alert:
* For example, an attacker could create a link that once clicked on by a user would display http://www.tailspintoys.com in the address bar, but actually contained content from another Web Site, such as http://www.wingtiptoys.com. (Note: these web sites are provided as an example only, and both redirect to http://www.microsoft.com.)
The link "tailspintoys.com" actually goes to "tailspingtoys.com" (which is not resolved at all).
I have something in common with Stephen Hawking...
I thought IE was supposed to get that like years ago... not that this is really related to the topic, but couldn't they roll it in to the nightly "security update" build?
SCO: 800-726-8649
Verisign: 800-361-8319, 888-642-9675
Diebold: 800-433-VOTE (8683)
This patch doesn't cover much, it's more like a Security pastie.
I still got Internet Explorer 3 on a CD I got from my first ISP somewhere, is that safe?
DONG!
I've noticed that everyone who is for abortion has already been born - Ronald Reagan
Couldn't we just upgrade BillG to Linus? It would make more sense, wouldn't it?
gllshhht...
So they dropped support for basic authentication by making "@" an invalid character, what about the problem with having "%01" in a url?
Also, in making "@" an invalid character, did they actually take out the basic authentication code or leave it in there to rot like so much forgotten leftovers in the refrigerator?
Netscape was always free for personal use. My first ISP even gave us Netscape on floppies when we signed up, because CD's weren't very common yet. I don't recall ever being asked for $50.
For starters, the MS page does not list Windows Me at all in the list of supported operating systems. But checking on my parents' machine (WinMe), that very cumulative IE update is listed on WindowsUpdate. I installed the update and here's how IE now behaves.
When going to *any* URL with an "@" in it, IE will come up with an error page titled "Invalid Syntax Error" with the content:
The page cannot be displayed
The page you are looking for might have been removed or had its name changed.
Once that error message is on the screen, any attempt to go to another URL with an "@" in the screen (by clicking on the URLBar and pressing enter, or typing in a different URL with an "@" in it) will cause IE to clear the page area to go blank and the throbber will continue spinning indefinately.
This makes it appear that there is some sort of network connectivity problem, or that IE is somehow hung up. Typing in a normal URL will show that everything is fine.
Also, this update doesn't fix the bug where IE displays an incorrect value in the status bar, such as this one: this one.
(Though clicking the link on that page will fail with the above described error page)
It loaded fine, the actual shopping cart wouldn't work correctly.
need a damn edit function...
Jaysyn
There is a war going on for your mind.
That's not Bill, that's Steve, and he's displaying normal behavior, move along.
Trojan Developers! Virus Developers! Worm Developers! Trojan Developers! Virus Developers! Worm Developers! Trojan Developers! Virus Developers! Worm Developers!
anyone know if replacing @ with %40 works?
Given that there were over 605 million connected internet users (in September 2002), that's over 400 million users of your software, and probably more now that it's almost a year and a half later.
Your users span hundreds of thousands of different hardware and software environments. And that doesn't even include IE 5.5 and 5 that they need to patch as well.
They'd better be sure the patch doesn't break anything critical. I'm surprised they don't break things more often than they do.
Qualitas edurus commercium, nullus penitus net rimor, nullus deus beneficium
the only reason i use ie, well 2 reasons, but the main one is that when i put in d: into the address bar, it automagically turns into windows explorer so i can view files and stuff.
also mozilla renders the page as its being downloaded and IE does it after its downloaded. so when i get a webpage in mozilla i have a bunch of images and shit loading. In IE i have a whole page albiet it takes a few seconds longer but it makes it alot prettier.
I'll just use my special getting high powers one more time...
I think this fix is a great thing. Now when my friends say "The porn sites won't work anymore" I can say "Here Try this"
Finally Microsoft gives me a perfect answer to "But why should I switch?" questions.
Just checking, does this only effect http://, or is it now impossible to use an ftp URL which includes a password too ?
Ie. ftp://username:password@website.com
Will that work ?
It's MUCH harder to change your bank than to patch your browser. While you might still be in the student phase of life where you've got nothing but some pizza and beer money in the account, and hence not much to transfer to another bank, it can be a real pain if you have something like, say, a mortgage on a house. If you do, you have two options:
1) Refininance at a new bank. This can cost you money, and, if intrest rates go up, give you a wrose rate.
2) Move your checking/savings, and leave your mortgage, which means you need to do bussiness with two banks.
Idealism with browers is all well and good but there are real world concerns with simply telling a bank to stick it in many cases.
Some banks just suffer from a case of being stupid with browsers. One of my coworkers had a bank like that. They actually supported netscape too, but thing was they did NOT support Mozilla. I've a feeling it would actually have worked fine, but their little script checked the browser ID and refused to let him try and log in.
because mydoom.b activates tomorrow and attacks Microsoft.
Chip H.
I noticed there appears to be an error generated if your home page uses the user@pass inclusion in a URL (whtn invoking IE for the first time).
The page cannot be displayed
The page you are looking for might have been removed or had its name changed.
Subsequent attempts seem to work, but the initial spawn of the browser does something different in terms of URL qualification it seems.
The security bulletin says:
Caveats: None
Did you consider telling me a bunch of my bookmarks will not work anymore, nevermind that they depended on "microsoft extensions"?
And can someone please explain why these issues are of only moderate to important (not critical) severity in Windows Server 2003?
That is sarcasm, it really bugs me that /.ers can't tell the difference between irony and sarcasm, it's not rocket science.
irony ( P ) Pronunciation Key (r-n, r-) n. pl. ironies
1. 1. The use of words to express something different from and often opposite to their literal meaning.
2. An expression or utterance marked by a deliberate contrast between apparent and intended meaning.
3. A literary style employing such contrasts for humorous or rhetorical effect. See Synonyms at wit1.
Or were you just being sarcastic?
Treehugger? Treehugger... Treehugger!
While RFC 2396 is indeed more recent, it covers a different topic than RFC 1738 does, and therefore doesn't automatically supersede it (it may "update" RFC 1738 on certain points, as is stated in the document header). RFC 2396 only describes Uniform Resource Identifiers in general; it doesn't go into detail for each and every scheme.
However, there is a more recent specification for the HTTP scheme, and that is RFC 2616 (describing HTTP/1.1). It agrees with RFC 1738: No "userinfo" part is allowed in an HTTP URL. And, since RFC 2616 is more recent than RFC 2396, it can't be superseded by RFC 2396 (but neither does it supersede RFC 2396).
You're missing a few "ash"es, at least. The spelling's not quite correct either. Try this:
;-)
Ash nazg durbatuluk, Ash nazg gimbatul,
Ash nazg thrakatuluk agh burzum-ishi krimpatul.
The ^'s aren't included, but I'm sure you can put them in appropriate places.
Turambar
------------------------------
Common sense is not so common.
--Voltaire
Does your keyboard also have a plastic membrane that keeps the grime and such from your oil-changing hands from getting in between the keys?
Chances are that the FuzzyFurB works as a cubicle drone in a Fortune 500 company or some other brain dead Microsoft "partner" where IT can only be done by the IT staff. They have all sorts of useless testing they do to insure configuration conformance. Microsoft's lack of modularity and real users makes it imposible to add software and be sure you have not changed non related system files. It makes no sense but that's the party line.
The effort, of course, is futile and counter productive. Microsoft junk is so full of holes that any old spam can own your system and many web sites download software for you. The corporate reaction to that is that you should not be browsing the web and to fire people who get suspicious emails. Still, the big dumb companies are always the fist and worst hit by any major worm. The monoculture is especially easy to kill and their suffering quickly becomes our own as poluted corporate machines spew their filth onto the rest of the world.
If the poor bastard had any choice of browsers, I'm sure he'd drop it onto something nice like Debian.
Friends don't help friends install M$ junk.
The kind of place that's dumb enough to forbid installation of superior and no cost software is also too stupid to tell the distiguish between methods of install. As the concept of users is poorly implmented in Windoze, there's hardly a practical difference between the install method you mention and one an actual "install". In any canse, few people are willing to risk their jobs over a choice of a tool that the company looks down on using to begin with. It's all downhill in the land of the dumb, that's why they still use Windoze.
Friends don't help friends install M$ junk.
Not sure if anyone else noticed, but this "security fix" seems to of mysteriously fixed the page down problem in IE which would cause the browser scroll down two pages at a time.
Anyone else see this?
This is an anti-microsoft/pro-opensource/mozilla comment on slashdot, they need not have evidence to makes those claims. In 10 minutes they'll be modded to "+6 Really Really Insightful."
And before I'm modded down as a troll, I'm using mozilla at this very moment because I feel it's more secure. But I base that not on evidence, but on my own feelings, which need no justification.
This is what happens when you're forced to try and navigate web sites by typing in URLs all the time.
When going to *any* URL with an "@" in it, IE will come up with an error page titled "Invalid Syntax Error" with the content:
The page cannot be displayed
The page you are looking for might have been removed or had its name changed.
So if Microsoft ran a garage, I guess they'd "fix" that funny noise your engine was making by removing the car's battery.
Methinks it would be useful to have a site which exploits all of the major holes in IE/Office (and can send e-mail for Outlook vuln.) that would look like a legitimate use of your office computer but that would trash it so you could go home early...:^)
Thanks! I was going to setup a redirect page on my home server and post again with a link to that to get around the Slashdot block they put in place. Instead, I decided to unglue myself from the computer. *grin* -Lucas
It's not the businesses that are the problem, it's the web monkeys writing the sites.
I did the same thing with http://www.landrover.co.nz, and got the response that 1% of visitors used non-IE browser., and that the site would require a complete rewrite (according to the web developers).
From a business perspect this is fine, the problem is that the stats are likely based on total hits which is flawed because only the first and error pages are counted, and that the web guys are flat out wrong about needing to rewrite the site. But there's no way for the marketing person managing this site to know that.
Out of interest I tried Moz with the IE6 UA plugin, and it works fine.
Forget thrust, drag, lift and weight. Airplanes fly because of money.
if the mailto://user@host.tld works in IE with this fix ?
RTFA tells me that "@" in an HTTP url is now considered to have an invalid syntax. Is this the case with the mailto protocol also ?
TIA.
How insecure might Mozilla be revealed as if it had the 98% or so usage that Internet Explorer has?
I wouldn't be surprised if they found huge security holes, the difference here is that Mozilla's security holes are patched within hours of being found instead of IE's days or even months.
And then coupled with the fact that IE is basically your only ui on your system if anything happens to it you're pretty screwed...
Does this means that when you click a mailto:someone@somesite.ext you get an error??
I gave up with the idea of an useful sig...
This patch broke the auth for some of my web-based software packages :-(
.htaccess auth instead of cookie auth, but since the software is heavily used on public terminals we also have the need for a functional [LOGOUT] button.
.htaccess protected folder, with the same ID as the actual software, but with a new username of 'please_enter_your_email'
We had the need to use
My logout button would direct the user to a seperatly
This caused IE to 'forget' it's previous auth information and store the new one.
Then, if somebody tried to use the back button on a public terminal to re-enter the software, they would get the auth box. (unlike with cookies, where the cached page may still appear, because ie6 likes to ignore no-cache directives)
But now, as users patch their systems, my logout button will be broken and give an 'invalid syntax' error.
Is there some other way to force the IE browser to forget browser auth information?
I just tested with a patched version of IE 6 and username/password in ftp:// url's still seem to work.
Rock over London, Rock on Chicago. Wheaties: Breakfast of Champions.
Maybe some MCSE could tell me, what are string processing functions doing in the kernel?
My firewall (Kerio PF, also checks MD5 hashes of executables) detected a change in the Windows Update Client itself while applying this patch. The date on the executable is 1/31/2004. Is there something I should worry about, cuz I don't think this has happened before?
Now it is really bad when they rely on you turning on ActiveX or something else insecure making your PC even more vulnerable to trojans!
I run Linux at home, but I still don't dare use netbanking (also because I have had insights into the system my bank uses from my professional life).
I considered getting an account in another bank where they don't rely so much on your PC to be secure: Once in a while they snail mail you a small physical card with a table of random numbers on it. When you want to do a transfer of money it asks you to look up into the table and type in the corresponding number. This way they can make sure you not only know the password but also have the physical card. Thus if a cracker takes over your PC they can't transfer money from your account anyway - only see what you have on your account. This solution is ofcourse not very elegant but it is much more secure than what any of the other banks can offer.
I use mozilla at 3 different banks without problem at all.
Just because it is recommended doesnt mean it is a have to.
All my banks state is that is must support 128bit encryption and the https protocal
This line opens with some mis-informed bullshit about a company that produces a proprietry operating system. This line refers to a bug uncovered when a dickhead used the OS. This line neglects to mention that the all open source alternatives either a) dont support the feature(s) or b) didnt support it until either SGI or IBM handed over the code. This lines makes a really annoying and tired connection with the Santa Cruz Org or Microsoft that is only understood by Stallman fanboys. This line is funny because the text is bold and italic. Now laugh you stupid little cunt.
GNAA rocks - cumming to your town soon!
Bullshit. If anything happens to IE you kill it with task manager. That's if your using an operating system that is less than 6 years old.
You still use Redhat 5 as well I guess?
That is the one thing I miss on opera. Very nice browser and the tabbing is fastly superior to Firebird (firebird does still open some links in a new window for some reason) but the wasted space is insane. Then again I got this problem with a lot of window layouts. Menu bars are always two third blank space. Put the status bar up there or something.
Of course Opera wins because it doesn't clutter the taskbar. Why do two clicks when you can switch pages with one eh?
There is however one area where Opera is the supreme king of all browsers. RESUME. It is a god send when for whatever reason the browser is closed. Just start later and continue where you left off with all your pages. No more searching for eons for that one site, crash and all your search results lost. Opera you are the best.
End rant
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
So MS have issued 832,893 security updates before this one?
That sounds about right.
Microsoft Security Patch Fixes URL Security Flaw
'Addresses' or 'Attempts To Address' or 'Exacerbates' would be more appropriate.
With MS's track record, you have no right to assume they fixed anything.
>>I can use telnet to send any string I want to
- faq.ht ml
/* My posts may sometimes be wrong, but my intent is always sincere and my research only somewhat questionable. */
>> any port. Your "security" concerns about
>>gopher:// are misguided.
Misguided you may be, Yoda say.
The insecurity of telnet is why you should disable telnet on the servers you support and implement SSH.
My favorite SSH FAQ:
http://www.employees.org/~satch/ssh/faq/ssh
To quote the faq, "It provides strong authentication and secure communications over unsecure channels. It is intended as a replacement for telnet, rlogin, rsh, and rcp. For SSH2, there is a replacement for FTP: sftp."
Live Long and Prosper - Thanks Leonard. You are missed.
Disabling telnet on the servers does nothing to stop telnet clients being used to send arbritary strings to any port. Both you and the original poster who claimed that the gopher URL scheme is a security risk have a lot to learn about network security.
>> Both you and the original poster who claimed that the gopher URL scheme is a security risk have a lot to learn about network security.
Ok. In case you are not trolling, I'll bite with hope of learning something.
1. My post was specifically about the security of Telnet, and that SSH on company servers is a more secure replacement. (I made/make no statements about Gopher.)
2. My post covered security from the perspective of securing data on our servers.
3. Assume we have replaced telnet with ssh on ALL our servers and set up our switches to filter most telnet traffic.
Just how is this bad? Misinformed? Not doing what we should to protect the servers?
If you can take 10 seconds to insult, you might take an extra 10 seconds to explain.
Live Long and Prosper - Thanks Leonard. You are missed.
Indeed sarcasm is not rocket science. It is, in fact, a form of irony: http://www.ksu.edu/english/baker/english320/cc-ver bal_irony.htm
With last events of IE insecurity, if I were a bank I would be scared to hell. What I would do is hiring a bunch of security experts, throw mozilla firebird to them and say: Fort Knox Browser. Now.
Then just make every client download and use that browser if they want to do online banking. Because secure online banking is not only important. For many banks is crucial. Remember that a bank's value is in trust.
This is something free-sw beats the crap out of closed-sw: it is an effort that can be shared among many banks and the oss-community, because it is something in the interest of everyone.
It's not bad or misinformed, just irrelevant to the parent thread.
Special Relativity: The person in the other queue thinks yours is moving faster.
You don't use two banks already? I have a checking account with M&T that I use all the time, and also an account with a credit union that I don't touch. I don't transfer money between the two, so that's not a problem, but one of my co-workers said that he can do that online with M&T and SECU (which isn't my credit union, but still).
:)
If/when I get a house, it will probably be through the credit union, as they'll likely give me a much better deal.
I'm just nervous about having all my money in one spot. Yes, I was a member of that one bank where Levitt (sp?) was arrested and the bank shut down. Maybe you get your money back eventually, but what if I need it in between? Bad things do tend to happen in groups. So I have two bank accounts and two jobs, even though I could be OK with one of each. Backups, you know
WMBC freeform/independent online radio.