Slashdot Mirror
Microsoft Security Patch Fixes URL Security Flaw
loteck writes "Microsoft has just released Security Update 832894. According to their official information, it affects all NT kernel versions of Windows and most versions of Internet Explorer. Here's a rundown of the important fixes, notably 'A vulnerability that involves the incorrect parsing of URLs that contain special characters' in Internet Explorer, as previously discussed on Slashdot."
I can stop typing in all my links by hand?
Oh wait- I use Mozilla. I didn't need to do that anyway.
I still have more fans than freaks. WTF is wrong with you people?
hm... they should patch IE up to be mozilla for example... that could be called a patch...
Aure entuluva!
I am sure M$FT will spin it as if this is an innovative feature.
S
Now check your in-boxes and make the InterWeb a Safer Place TM.
Nice try Microsoft. I'm not clicking links while running IE, as per your instructions!
I wonder what happened to the other 832893 security updates?
I'm supprised we still post this stuff. It's a never-ending saga. People find massive holes in IE. Microsoft ignores problems. People exploit problem. Microsoft, slowly, responds. Why does half of Slashdot's users still use Internet Exploiter? Get the monkey off your back, switch to Mozilla Firebird. :)
Will Stokes Album Shaper http://albumshaper.sf.net
Please Mr. Gates, calm down, relax, breath deeply.
The files that this patch affects reveal a little tidbit of info about how Windows is put together and it makes one ask the question:
Why the hell does this require a kernel patch?
Mad Software: Rantings on Developing So
I was under the impression that their fix was simply make http(s)://user:password@www.address.net invalid. If so, that's not so much a fix, as just deciding to break some functionality. Can someone confirm that this is what the "fix" actually is?
Jedidiah
Craft Beer Programming T-shirts
I switched away from IE a while ago because the browser windows would mysteriously disappear while using Microsoft's own Virtual Desktop Manager. Firebird works fine with it. It's ironic that Firebird integrates more well with one of MS's products than MS's own product does.
notably 'A vulnerability that involves the incorrect parsing of URLs that contain special characters' in Internet Explorer
/.
So now all those goatse URL's finally parse back to the trolls at
Rule #1 -- Politics always trumps technology.
Patches..."A vulnerability that involves the incorrect parsing of URLs that contain special characters. When combined with a misuse of the basic authentication feature that has "username:password@" at the beginning of a URL, this vulnerability could result in a misrepresentation of the URL in the address bar of an Internet Explorer window."
I can't believe it takes Microsoft so long to fix major flaws like this. Honestly, why does it take 60,000 programmers 60 days to fix an IE URL error?
http://tomgould.com/
Because SUS requires you to run IIS. :) Nuff said. Not all of us run 100% Windows Domains with Active Directory and IIS and servers.
So you don't have to match up the knowledge base numbers in WindowsUpdate:
Here
Here
Here
Here
There are a huge number of yeast infections in this county. Probably because we're downriver from the bread factory.
I saw it on tv last night. I think it was
f eb/en/?&mid=2304520392lHKJH09728037420987&dll=LKJ2 3L4SD09UVC9432J5JS-9UDFLKJN345U9SLKJ4L5U0SJCS4
http://microsoft.com/download/patch/win32/2004/
In other words, some email/CC#/whatever harvester decided to pull a funny and use the correction for this flaw as a way to exploit the flaw. Now that I see that the described patch is legitimate, I'm actually laughing internally at the delicious irony.
By the time my mom got the email, the target web site had already been taken down by the sysadmin of the host.
None of this is to condone the action of the scum who blasted the email, but come on, that took some balls.
'A vulnerability that involves the incorrect parsing of URLs that contain special characters' in Internet Explorer
Yeah, the special characters www.google.com now correctly parse to search.msn.com
It's also been a hotter-than-usual topic on Usenet. There really seemed to be a mass exodus from IE over the last couple of weeks, perhaps due to what people feel is blatant neglect by Microsoft.
I left IE as well last week, opting instead for Opera, and really couldn't be happier. Screw 'em, I want my tabbed browsing!
"This Internet Explorer cumulative update also includes a change to the functionality of a Basic Authentication feature in Internet Explorer. The update removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or Windows Explorer after you install this software update:
"
...and even though they continue to break standards, people continue to use their software. Are users that ignorant and lazy? .. Why do I even ask that question.
http(s)://username:password@server/resource.ext
[alk]
10K bug fix
2.799M new bugs
(I typed this already, but after downloading the patch my computer froze up and I'm having to retype it.)
I can't take credit for this, as I saw it on slashdot once: "64,000 bugs in the code, 64,000 bugs, whack one back with a service pack, 64,008 bugs in the code."
A feeling of having made the same mistake before: Deja Foobar
It merely removes the feature containing the flaw. For an implementation of the feature without the flaw, see http://www.mozilla.org/
This incident, by the way, is why open source will continue to gain ground. There are no marketing nitwits working as gatekeepers.
HPC for Primates. Read Cluster Monkey
Every product has security vulnerabilities that are exposed to the public from time to time.... However, Microsoft seems to be the King of insecure. This is yet another example. And old news at that. The problem with Microsoft is the length of time they take to fix such horrid flaws in their software. They've had many months to produce a patch for this, and countless Microsoft users have suffered as a result. Good job, Microsoft, for proving you are a proud supporter of capitalism. You've managed to make a select few extremely wealthy by ripping off your users, using a slew of vulnerabilities that are continually left unchecked for extended periods of time. It's sad, really, Microsoft doesn't even care about the bad press anymore. They're immune to it, everyone knows their products are insecure and feel they have no alternative choice. That's going to change someday, and Microsoft is going to have to actually earn their customers by providing good [secure] products and services then. Though, I doubt it will ever matter - really. Microsoft is simply too large and too wealthy - even if no one ever bought another Microsoft product again - the company could survive forever just on it's current assets. Talk about a load of smelly poo...
This Internet Explorer cumulative update also includes a change to the functionality of a Basic Authentication feature in Internet Explorer. The update removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or Windows Explorer after you install this software update:
http(s)://username:password@server/resource.ext
Unfortunatly this isn't fixed as it should be, ie you're shown the entire link in the address bar and maybe even given a warning when you go to the site. Instead they fixed this by not allowing the '@' character in addresses as was suggested they might here. Hadn't they been saying previously that problem this was unfixable presumably the reason for disallowing the '@' alltogether rather than a real fix. I have two questions, first what kind of codebase do they have that they can't make a real fix?!? Sure it might be a bit of a pain but it's obviously possible since no other browser is affected (heck I even tried IE for mac yesterday and it handled it perfectly!). They obviously handle the url properly at some point since you visit the proper site, they should be able to display the url properly!
Next, what is the effect of them deprecating the '@' tag? I don't recall ever seeing this in the wild and can't really see a lot of use in microsoft.com@slashdot.org, of course the example they give is username:password but I can't see any real site displaying the password in plaintext in the url, does anyone have an example of where this is used and what the effects will be?
I stole this Sig
No no, back of the throat, "Aaagghh"
[...] the easiest to install for Windows users [...]
I don't know if "easiest to install" is the best way to describe how most people get IE on their computers.
"Found it slapped on with spit and duct tape" may be more accurate.
Someday, you're going to die. Get over it.
I've been using Bofa online banking for over a year now with Firebird with NO problems except one small CSS issue that appears when setting up a payee in Bill-Pay.
Instead of complaining about banks that recommend IE, move to BofA and tell your existing bank why you are moving!
"Blah blah, status quo, what can you do?"... as soon as it hurts their pockets, they'll add Mozilla support.
Don't just move for the tech though - the BofA system is very well thought out and feature rich and sells itself pretty well. I now pay all my bills through it. It even let's you send payments to individuals (I assume it mails them a check - never used it). I'm now down to writing 4 checks a month, and am hoping to eliminate those soon (I think my wife's going to take a little more coaxing though before she kicks the habit :).
cLive ;-)
-- Trinity in high heels carrying a whip: The donimatrix - there is no spoonerism
did you just use "none of the heavy GUI" and MFC in the same sentance?
And since MS has closed-source, I can never be sure, therefore I won't use Microsoft anymore.
They're a breeding-ground of spam and everything that's out of control is their own fault due to their policies.
I don't know the meaning of the word 'don't' - J
Actually yes, It's RFC 2396.
Mozilla and I'm assuming Firebird do have this functionality.
[alk]
i threw away my mouse when they suggested no clicking on URLs. now they fsck it and i have now mouse, what am i gonna do? hmmm, i should post this as an "ask slashdot".
You need people like me so you can point your fuckin fingers and say, "That's the bad guy." So what that make you? Good?
Turns out this behaviour is specified in RFC 1738 (Uniform Reasource Locator), where it defines a URL as being of the form:
//<user>:<password>@<host>:<port>/<url-pa th>
Although the RFC does go on to stipulate that "[s]ome or all of the parts '<user>:<password>@', ':<password>', ':<port>', and '/<url-path>' may be excluded." Oddly enough, this form is broadly defined as being the general form of URLs, but is not the form of HTTP URLs (which lack the username and password). The RFC seems to indicate that this functionality was designed with FTP in mind - anyone know if MS disabled it for all URLs, or just http ones?
Cue The Sun...
You can read the details here and here (original thread). It was caused by an update released back in November 2003.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
"...the RFC specification says that http authentication is not allowed in a http url, it is allowed in a generic URI but not for HTTP urls, this is an exception! RFC 1738 - Page 8
So, Microsoft is in fact sticking to the RFC this time, something they should have done long time ago. I have been blocking this "http authentication" in every mail I received on my domain for over a year, but when I saw the IE url obfuscation issue a few weeks back, I was amased that nobody knew this, so I thought I was wrong and that's why I didn't reply. Microsoft still gets a "D" from me for this big mess!"
If : is omitted, the port defaults to 80. No user name or password is allowed. is an HTTP selector, and is a query string. The is optional, as is the and its preceding "?". If neither nor is present, the "/" may also be omitted.
They are conforming to the RFC. Username/Password is a hack. First people complain that IE doesn't follow RFC, and when they do, you still fucking complain.
Have you ever been to a turkish prison?
If you are referring to the URI request for comments then you are wrong, it's not a standard. Check it out for yourself, the login syntax ([ user [ : password ] @ ] hostport) is only mentined inside of telnet:// and ftp:// not http:// or https://
My university uses an Exchange 2003 server for its e-mail. Well apparently this patch breaks logon using Outlook Web Access on that server. Turns out the username and password is in the URL being sent to the server, the same thing this patch kills.
Not sure if this is the way it is with every Exchange server or if it is how my university's server is configured, but if you use OWA you might want to be careful with this patch.
Removing support for user.password@www.address.net?
I just felt the death screams of 40,000,000 porn sites across the planet.
...is the text of the update on Microsoft's Software Update Services service...
"...For example, an attacker could run programs on your computer while you view a Web page. This affects all computers with Internet Explorer installed (even if you don't run Internet Explorer as your Web browser)..."
although there's no mention of that in the KB article.
Yes, but they did provide warning:
k b; [LN];834489
http://support.microsoft.com/default.aspx?scid=
Note that this KB article was changed today to reflect that it is indeed in this patch, however, this article has been up since Early January or so...
Not that I think it's the right way to do things, but they did provide some warning that it was coming.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
From the alert:
* For example, an attacker could create a link that once clicked on by a user would display http://www.tailspintoys.com in the address bar, but actually contained content from another Web Site, such as http://www.wingtiptoys.com. (Note: these web sites are provided as an example only, and both redirect to http://www.microsoft.com.)
The link "tailspintoys.com" actually goes to "tailspingtoys.com" (which is not resolved at all).
I have something in common with Stephen Hawking...
This patch doesn't cover much, it's more like a Security pastie.
For starters, the MS page does not list Windows Me at all in the list of supported operating systems. But checking on my parents' machine (WinMe), that very cumulative IE update is listed on WindowsUpdate. I installed the update and here's how IE now behaves.
When going to *any* URL with an "@" in it, IE will come up with an error page titled "Invalid Syntax Error" with the content:
The page cannot be displayed
The page you are looking for might have been removed or had its name changed.
Once that error message is on the screen, any attempt to go to another URL with an "@" in the screen (by clicking on the URLBar and pressing enter, or typing in a different URL with an "@" in it) will cause IE to clear the page area to go blank and the throbber will continue spinning indefinately.
This makes it appear that there is some sort of network connectivity problem, or that IE is somehow hung up. Typing in a normal URL will show that everything is fine.
Also, this update doesn't fix the bug where IE displays an incorrect value in the status bar, such as this one: this one.
(Though clicking the link on that page will fail with the above described error page)
anyone know if replacing @ with %40 works?
the only reason i use ie, well 2 reasons, but the main one is that when i put in d: into the address bar, it automagically turns into windows explorer so i can view files and stuff.
also mozilla renders the page as its being downloaded and IE does it after its downloaded. so when i get a webpage in mozilla i have a bunch of images and shit loading. In IE i have a whole page albiet it takes a few seconds longer but it makes it alot prettier.
I'll just use my special getting high powers one more time...
I think this fix is a great thing. Now when my friends say "The porn sites won't work anymore" I can say "Here Try this"
Finally Microsoft gives me a perfect answer to "But why should I switch?" questions.
It's MUCH harder to change your bank than to patch your browser. While you might still be in the student phase of life where you've got nothing but some pizza and beer money in the account, and hence not much to transfer to another bank, it can be a real pain if you have something like, say, a mortgage on a house. If you do, you have two options:
1) Refininance at a new bank. This can cost you money, and, if intrest rates go up, give you a wrose rate.
2) Move your checking/savings, and leave your mortgage, which means you need to do bussiness with two banks.
Idealism with browers is all well and good but there are real world concerns with simply telling a bank to stick it in many cases.
Some banks just suffer from a case of being stupid with browsers. One of my coworkers had a bank like that. They actually supported netscape too, but thing was they did NOT support Mozilla. I've a feeling it would actually have worked fine, but their little script checked the browser ID and refused to let him try and log in.
The security problem was spotted back in 1993 or 1994.
The problem was that the URI group was way out in hyperspace by then and not doing what people needed. There was an inordinate amount of effort went in to gopher URLs, the gopher losers wanted to have / be a normal character because it could appear in a Mac filename. The point about escape characters was lost.
Most browsers killed gopher because the protocol was so insecure, you could use a gopher URL to send any string you wanted to any port you wanted, ditto for finger.
The URIs that got used in practice were mostly the ones defined in Netscape. They did not give a wetslap for standards from the IETF or W3C, as far as they were concerned they defined the standard. They did not care much about security either, well not until it started to go embarrasingly wrong.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
While RFC 2396 is indeed more recent, it covers a different topic than RFC 1738 does, and therefore doesn't automatically supersede it (it may "update" RFC 1738 on certain points, as is stated in the document header). RFC 2396 only describes Uniform Resource Identifiers in general; it doesn't go into detail for each and every scheme.
However, there is a more recent specification for the HTTP scheme, and that is RFC 2616 (describing HTTP/1.1). It agrees with RFC 1738: No "userinfo" part is allowed in an HTTP URL. And, since RFC 2616 is more recent than RFC 2396, it can't be superseded by RFC 2396 (but neither does it supersede RFC 2396).
Not sure if anyone else noticed, but this "security fix" seems to of mysteriously fixed the page down problem in IE which would cause the browser scroll down two pages at a time.
Anyone else see this?
With ActiveX, there have been a number of times when visiting a malicious page in IE could have destroyed your computer (e.g. something equivalent to rm -rf /)
It is the only browser wherein I can remember such a hole, and I (try) to keep up with the security mailing lists...
Feel free to search bugtraq if you like.
Now then, I think that there were a few problems in some versions of Netscape/Mozilla, but I don't remember them being nearly as serious as the IE holes.
if the mailto://user@host.tld works in IE with this fix ?
RTFA tells me that "@" in an HTTP url is now considered to have an invalid syntax. Is this the case with the mailto protocol also ?
TIA.
My firewall (Kerio PF, also checks MD5 hashes of executables) detected a change in the Windows Update Client itself while applying this patch. The date on the executable is 1/31/2004. Is there something I should worry about, cuz I don't think this has happened before?
Now it is really bad when they rely on you turning on ActiveX or something else insecure making your PC even more vulnerable to trojans!
I run Linux at home, but I still don't dare use netbanking (also because I have had insights into the system my bank uses from my professional life).
I considered getting an account in another bank where they don't rely so much on your PC to be secure: Once in a while they snail mail you a small physical card with a table of random numbers on it. When you want to do a transfer of money it asks you to look up into the table and type in the corresponding number. This way they can make sure you not only know the password but also have the physical card. Thus if a cracker takes over your PC they can't transfer money from your account anyway - only see what you have on your account. This solution is ofcourse not very elegant but it is much more secure than what any of the other banks can offer.