Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Security Patch Fixes URL Security Flaw

Posted by ryuzaki0 on from the no-more-typing-URLs dept.

loteck writes "Microsoft has just released Security Update 832894. According to their official information, it affects all NT kernel versions of Windows and most versions of Internet Explorer. Here's a rundown of the important fixes, notably 'A vulnerability that involves the incorrect parsing of URLs that contain special characters' in Internet Explorer, as previously discussed on Slashdot."

25 of 545 comments (clear)

  1. Does this mean by AuMatar · · Score: 5, Funny

    I can stop typing in all my links by hand?

    Oh wait- I use Mozilla. I didn't need to do that anyway.

    --
    I still have more fans than freaks. WTF is wrong with you people?
    1. Re:Does this mean by SultanCemil · · Score: 5, Informative
      Wait mozilla supports HYPERLINKS? wow. I do need to upgrade my browser.

      Seriously, though - I think one of the bigger changes in this release is that IE no longer support username/password in the URL (http://me:you@whatever.com). No more easy pr0n surfing.

      --
      Cemil.
    2. Re:Does this mean by mickwd · · Score: 5, Insightful

      Yes, I'm a little surprised there hasn't been more of a fuss over this.

      Is this really the best Microsoft can do ?

      Whenever a URL with an "xxx[:yyy]@" prefix is clicked or entered, why couldn't they pop up a login dialog box, specifying the name of the site (WITHOUT the xxx[:yyy]@ prefix), filling in the user name and password (i.e. the "xxx" and "yyy" in the appropriate fields), and asking for confirmation of the site to be visited ?

      Or at least allow a configurable option such as "Disallow username/password in URLs / Prompt with Dialog Box / Allow" (with the default set to Disallow). That way, advanced users would still be able to use the username:password@ syntax if they enable the option. It's actually pretty useful as a quick way to transfer files by FTP, so I hope it's still supported over FTP.

    3. Re:Does this mean by Holi · · Score: 5, Informative

      No for http requests the username and password are NOT allowed.

      RFC 1738 - Page 8
      3.3. HTTP

      The HTTP URL scheme is used to designate Internet resources accessible using HTTP (HyperText Transfer Protocol).

      The HTTP protocol is specified elsewhere. This specification only describes the syntax of HTTP URLs. An HTTP URL takes the form:

      http://(host>):(port)/(path)?(searchpart)

      where and are as described in Section 3.1. If : is omitted, the port defaults to 80. No user name or password is allowed.

      --
      Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
    4. Re:Does this mean by gunpowder · · Score: 5, Interesting

      I love people referencing to some RFC, but then not reading it themselves :-P

      You said "the user:pass@host" scheme is optional. This is right and wrong. This is described in Section 3.1 of RFC 1738, which describes the Common Internet Scheme Syntax, or the general form that URL can take.

      The user:pass@host scheme is described as "optional" in the meaning that specific URL schemes can make use of them or not. A URL scheme can decide not to adopt/allow the 'user:pass@host' scheme at all.
      Specific URL schemes for FTP, HTTP, MAILTO etc. are defined in Sections 3.2 - 3.11. These Sections describe what is allowed for each URL scheme (protocol ) and not.

      Let's look at HTTP (excerpt from the RFC):


      An HTTP URL takes the form:

      http://<host>:<port>/<path>?<searchpart>

      where and are as described in Section 3.1. If :<port>
      is omitted, the port defaults to 80. No user name or password is
      allowed.


      Also your remark "They're just being dumb. As usual." is wrong.
      Actually they finally conform to a open specification!

    5. Re:Does this mean by spitzak · · Score: 5, Insightful

      No, because anybody that stupid can be fooled by simply having the URL go directly to the evil site.

      The basic problem is that IE displays the URL "http://www.good.com/foo%00@www.evil.com/bar" as "http://www.good.com/foo" and thus completely hides the fact that it actually goes to "www.evil.com", even for an expert user. This is the bug in IE that needs to be fixed.

      Even if fixed, the above URL would certainly fool a lot of people that it goes to "good.com". All browsers today seem vulnerable to this. So some solution is necessary.

      My recommended solution is to preview starting with the '@' sign so the user sees "@www.evil.com/bar". This also has the nice effect of hiding the username & password for (obviously extremely weak) security.

      I do think Microsoft's solution is about the stupidest thing they can do after the "do nothing" solution. I find it hard to believe they cannot fix their status bar preview, this would indicate the innards are such a horrible mess of spagetti that they cannot make even simple changes and they had to attack the only single point of entry which is where the http get command is processed.

      Of course the '@' is not a standard, but neither is ActiveX and Microsoft does not seem to be removing that. Saying that it is ok because it is not an official standard is stupid. It will break plenty of sites.

  2. HA HA NICE TRY by Anonymous Coward · · Score: 5, Funny

    Nice try Microsoft. I'm not clicking links while running IE, as per your instructions!

  3. Wow Security update # 832894 by Anonymous Coward · · Score: 5, Funny

    I wonder what happened to the other 832893 security updates?

    1. Re:Wow Security update # 832894 by Oroborus · · Score: 5, Interesting

      Just fyi: the update number comes from the number identifying the knowledgebase article where the problem is first identified.

  4. I'm supprised we even post this stuff... by FuzzyFurB · · Score: 5, Insightful

    I'm supprised we still post this stuff. It's a never-ending saga. People find massive holes in IE. Microsoft ignores problems. People exploit problem. Microsoft, slowly, responds. Why does half of Slashdot's users still use Internet Exploiter? Get the monkey off your back, switch to Mozilla Firebird. :)

    --
    Will Stokes Album Shaper http://albumshaper.sf.net
    1. Re:I'm supprised we even post this stuff... by Kierthos · · Score: 5, Insightful

      Some of us are required to us IE at work because the bosses won't let us install anything else. Of course, having said that, I really wonder if the bosses would notice...

      Kierthos

      --
      Mr. Hu is not a ninja.
  5. Why is URL parsing code in the kernel? by Mr.+McGibby · · Score: 5, Interesting

    The files that this patch affects reveal a little tidbit of info about how Windows is put together and it makes one ask the question:

    Why the hell does this require a kernel patch?

    --
    Mad Software: Rantings on Developing So
    1. Re:Why is URL parsing code in the kernel? by Tuxedo+Jack · · Score: 5, Interesting

      Because they forced IE to integrate into the shell. Of course, there's IEliminate and similar programs which will shred IE from the system and strip any references to it from various places, and if you install IE6 off the NIS2003 disc, you can edit the install.ini file's ShellIntegration value (set it to 0), and you can use Firebird for everything else.

      --

      Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
  6. Deprecating username/password in URLs by Coryoth · · Score: 5, Informative

    I was under the impression that their fix was simply make http(s)://user:password@www.address.net invalid. If so, that's not so much a fix, as just deciding to break some functionality. Can someone confirm that this is what the "fix" actually is?

    Jedidiah

    --
    Craft Beer Programming T-shirts
  7. Here are the patches: by HungWeiLo · · Score: 5, Funny

    So you don't have to match up the knowledge base numbers in WindowsUpdate:

    Here
    Here
    Here
    Here

    --
    There are a huge number of yeast infections in this county. Probably because we're downriver from the bread factory.
  8. Be sure to type in that link manually. by Anonymous Coward · · Score: 5, Funny

    I saw it on tv last night. I think it was

    http://microsoft.com/download/patch/win32/2004/f eb/en/?&mid=2304520392lHKJH09728037420987&dll=LKJ2 3L4SD09UVC9432J5JS-9UDFLKJN345U9SLKJ4L5U0SJCS4

  9. Ironic given an email my mom got by MemRaven · · Score: 5, Funny
    My mom got this email this morning which purported to be from someone at Microsoft referring to this exact patch as something she could download. The only problem (aside from the fact that even my mom wouldn't have been dumb enough to type sensitive information into a form like that, AND she uses Mozilla anyway) is that the link in the email USED the flaw that it was telling her to fix.

    In other words, some email/CC#/whatever harvester decided to pull a funny and use the correction for this flaw as a way to exploit the flaw. Now that I see that the described patch is legitimate, I'm actually laughing internally at the delicious irony.

    By the time my mom got the email, the target web site had already been taken down by the sysadmin of the host.

    None of this is to condone the action of the scum who blasted the email, but come on, that took some balls.

  10. special characters? by andman42 · · Score: 5, Funny

    'A vulnerability that involves the incorrect parsing of URLs that contain special characters' in Internet Explorer

    Yeah, the special characters www.google.com now correctly parse to search.msn.com

  11. Re:At least better than the KB article :) by narfbot · · Score: 5, Insightful

    Read the new knowledge base article for more goodies. They say URL's in username:password format are no longer supported -- I read that as they removed the support for the format to fix the bug! And then read how they suggest to switch scripting (ActiveX?) to prompt before running. So with IE, they no longer have the URL parameters other browsers safely support, and you have to wade through a bunch of "Scripts are normally safe? Run anyways?" popups. =/ Don't seem like a solution for me.

  12. Re:the needed patch by Anonymous Coward · · Score: 5, Insightful

    Considering IE is less secure than Mozilla it's alarming to me that any bank would "require" it.

  13. Re:the needed patch by tupps · · Score: 5, Interesting

    Grab Mozilla/Opera/Whatever and use Tabs for a little while. I cannot use any browser now without tabs. Having 10 pages open is no problem, and it is great when you come to a site and need to look at 10 different articles that might interest you (eg Slashdot front page). Also Mozilla has a pretty extensive scripting language behind it. I beleive that the Calendar module is written purely in that scripting language. Thanks Luke

    --
    Go out and get sailing!
  14. click here by danZenie · · Score: 5, Funny

    i threw away my mouse when they suggested no clicking on URLs. now they fsck it and i have now mouse, what am i gonna do? hmmm, i should post this as an "ask slashdot".

    --
    You need people like me so you can point your fuckin fingers and say, "That's the bad guy." So what that make you? Good?
  15. Something really scary.... by Joe5678 · · Score: 5, Informative

    ...is the text of the update on Microsoft's Software Update Services service...

    "...For example, an attacker could run programs on your computer while you view a Web page. This affects all computers with Internet Explorer installed (even if you don't run Internet Explorer as your Web browser)..."

    although there's no mention of that in the KB article.

  16. security coverage? by Anonymous Coward · · Score: 5, Funny

    This patch doesn't cover much, it's more like a Security pastie.

  17. Here is the behavior of IE after patching.... by WD · · Score: 5, Informative

    For starters, the MS page does not list Windows Me at all in the list of supported operating systems. But checking on my parents' machine (WinMe), that very cumulative IE update is listed on WindowsUpdate. I installed the update and here's how IE now behaves.

    When going to *any* URL with an "@" in it, IE will come up with an error page titled "Invalid Syntax Error" with the content:
    The page cannot be displayed
    The page you are looking for might have been removed or had its name changed.


    Once that error message is on the screen, any attempt to go to another URL with an "@" in the screen (by clicking on the URLBar and pressing enter, or typing in a different URL with an "@" in it) will cause IE to clear the page area to go blank and the throbber will continue spinning indefinately.

    This makes it appear that there is some sort of network connectivity problem, or that IE is somehow hung up. Typing in a normal URL will show that everything is fine.

    Also, this update doesn't fix the bug where IE displays an incorrect value in the status bar, such as this one: this one.
    (Though clicking the link on that page will fail with the above described error page)