Slashdot Mirror
Internet Explorer Bug Leaks Whatever You Type In the Address Bar (arstechnica.com)
The latest version of Internet Explorer has a bug that leaks the addresses, search terms, or any other text typed into the address bar. The flaw was disclosed Tuesday by security researcher Manual Caballero. Ars Technica reports: The bug allows any currently visited website to view any text entered into the address bar as soon as the user hits enter. The technique can expose sensitive information a user didn't intend to be viewed by remote websites, including the Web address the user is about to visit. The hack can also expose search queries, since IE allows them to be typed into the address bar and then retrieved from Bing or other search services. The proof-of-concept makes it transparent that the attacking website is viewing the entered text. The hack, however can easily be modified to make the information theft completely stealthy. A proof-of-concept site shows the exploit in action.
Haven't Microsoft users switched to Edge by now?
#DeleteFacebook
Yessir, now that I'm a helpless, hopeless RUSSOPHOBE, an ADDICT of blaming the EEEEVVVVIIILLL Rooskies, let's blame this "bug" on the RUSSIANS!
--BeauHD, esq.
like we have like "jenkins" for our CI server, but instead of doing a DNS lookup for that that returns an IP address since we have a properly setup search domain, it redirects us to a Bing search for jenkins. Microsoft really still doesn't grok DNS.
Don't all browsers (Chrome, MSIE, Firefox) have this problem? The default search provider gets whatever text you type in the URL bar.
Yet another feature of a major browser that doesn't work on Firefox. I hope this will get resolved when they release that unified search/address bar.
lucm, indeed.
Is this some question rooted in making sure future privacy leaks happen faster, in a more standards-compliant way, with a different web rendering engine, or some other technocratic detail that tries to obscure the underlying non-freedom problem?
Since when would the non-free Edge browser be more trustworthy than the non-free Internet Explorer browser?
The problem is the lack of software freedom; even users skilled and willing to help themselves and others fix the problem are not given permission to know what proprietary software does (whether intentionally or by mistake). So after years of people using Windows (a known security leaky proprietary OS written by an organization that partners with spies like the NSA) more problems arise with Microsoft Internet Explorer (an apparently security leaky proprietary browser). Proprietary software users must either switch to a free software OS and run free software on that, or wait for a proprietor they can't trust to issue a fix.
Digital Citizen
All the three IE users have been warned.
Slashdot, fix the reply notifications... You won't get away with it...
So how is Chrome or Safari any more 'Free' than I.E. or Edge?
Everybody always disses Mozilla so we are not supposed to mention Firefox or Seamonkey.
Whatever you write goes into the system. Every keystroke into a text box is recorded.
Hes right. Like it or not. Chrome and Firefox release all or most code.
"New spoon has throws soup back into your face"
"Cat sues owner for pooping in its litter box"
"Internet Explorer leaks your address bar"
I tip my hat to the C64 background colours!
READY.
PRINT ""+-0
More than two days of static Slashdot. Can't we have a headline about that shit?
"The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
But riddle me this... shouldn't Microsoft by now have developed some manner of understanding of how to write software, so that these things Don't Happen?
Mod up this parent. I mean, really, WTF. This is /. not some social media site. We care about the site. And now, all of a sudden, we are being kept in the dark....
It's been over 25 years and FOSS hasn't solved the issue of computer security either; Open source browsers and OSs also require regular security patches.
Is he related Automatic Caballero?
"Many eyes make all bugs shallow" was pretty much debunked when OpenSSH was breached a few years ago. The code was open but only 4 eyes were looking at it.
For as large as the OSS crowd might be the OSS code base is many times larger and most people are drawn to the latest hotness like so many moths. The reason OSS security gets broken is because the devs are busy building automatic Jenga-robots or self driving boondoggles with GPUs. And why shouldn't they? They're not paid staff, that's the whole point.
The argument was never, "If you build it, they will all turn their eyes towards it checking for bugs."
The idea is that if you know you have a bug, because you use the software, and there is only the programmer at some company that is even allowed to look at the code, then they might not fix it, and they might not even have time or interest to try. Hard problems are often going to receive (if you're lucky) a work-around unless you're paying extra to get it fixed. The same situation with free software, the worse the problem is the more people are looking at it, and the easier it is to solve.
There was never anything about fixing bugs before you know about them because free software is magic. That part you made up yourself.
OSS security isn't broken, it is powering most of the infrastructure. But that isn't in the news, because "trains ran on time, 700 days uptime" isn't news.
These people just got off of DOS.
I know, remove the explorer.
Microsoft explorer leak drama aside, the 404 error system along with reading the /var/syslog does setup a stealth communications system for those whom grep the logs.
I can't be the only idiot out there who's typed a big url... say ..
http://dailycaller.com/2017/09/27/exclusive-chelsea-clintons-best-friends-defense-company-got-11-mil-in-contracts-but-doesnt-have-federal-security-clearance/
SO say I see a TYPO on that page and I want to tell the sysop. PRETEND THE WORD IS "Grule" should be "Girl" I would hit the URL
http://dailycaller.com/2017/09/27/exclusive-chelsea-clintons-best-friends-defense-company-got-11-mil-in-contracts-but-doesnt-have-federal-security-clearance/Hey-you-fux-fix-the-typo-grule-should-be-girl
I enter that three times. (So you get three entries in the log) I could put a marker like -=[ MARK ]=-hey-you-fux-fix-the-typo /or-daves-not-here-bring-the-stuff
If you don't do systems admin you probably have just had this tutor fly right over your poor head.
404 eRRoR bitchez
I can't stand it when browsers try to turn what I type in the address bar into a search. First thing I do is turn that crap off. So whether it's Internet Explorer or not, the only thing "leaking" from my address bar is the address I typed.
This is way better than the bugs IE6 used to have, 'back in the day.'
Requiem for the American Dream
Wouldn't it be terrible, if such innocent flaws in a browser in reality were to be designed to enable experimentation and testing by the power that be, for having a secondary range of software, that scoops up such data from time to time. :| The kind of software that a government spy agency (or maybe even the police/military) might use, to keep collecting such personal data on demand for testing purposes.
What's an 'internet explorer' ?
This is the first thing I test with any new browser:
(1) type a short word into the search bar, and .com.
(2) type a long random string followed by
If either one returns anything other than a DNS error, then it's time to go digging in the settings and turn off whatever auto-search nonsense they've enabled.
FWIW, most ISPs use DNS hijacking by default, but they'll let you call and opt-out (some let you do it via your account settings web page).
Note: The opt-out only applies to your current MAC address, so so you'll have to remember to tell them to opt-out of DNS hijacking if your old cablemodem dies.
Debunked isn't the way you spell pro ed. You can't identify bugs that were only identified and fixed BECAUSE it was open source and claim what you are claiming.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
People STILL use that POS???
You can look at the source fuckwit thatâ(TM)s how.
Like Heartbleed?
So this is why Linux desktop is awesome and without bugs?
> The idea is that if you know you have a bug, because you use the software, and there is only the programmer at some company that is even allowed to look at the code, then they might not fix it, and they might not even have time or interest to try
Holy shit, are you for real?
That's always been my argument *against* open source software. If you find a legitimate bug in closed source software you've actually paid for, the company that produced said software is on the hook to get it fixed; they have a financial incentive to do it, and it doesn't matter if one guy worked on that part of the program or a whole squadron. If it's truly broken, it'll get fixed.
OTOH, if I'm using some open source software and find a serious bug, it might've been created by someone who writes software on the side, as a hobby, while he's got a real 9-5 job that's keeping him from dedicating serious cycles to his hobby project. There's no financial incentive for that guy to fix the bug, and in fact, since the source is public, the response is often going to be, fix it yourself and submit the fix, or find someone who can fix it for you.
Underrated comment. Wish I had mod points today.
It any maxim this pithy, language is being used in a special register where the "modulo" term is user supplied—if the user has the wits and can ass himself to do so.
There are so many things you got wrong here, do I need to strip gold stars off your chest on both sides of this equation?
First off, the OpenSSH bug was shallow, right from the get go, to any competent pair of eyes.
Second, cryptographic software is notorious for having failure modes that require exotic instrumentation and extreme wonk vigilance to so much as notice, from any perspective outside the black box.
The cryptographic PRNG is Exhibit A in defying external validation checks. If the cryptographic protocol exchanges random values, is your randomness compromised? Somebody else's cipher, enciphering with a key you don't know, actively leaking vital state from your most precious host (though at a fairly low bit rate) is indistinguishable from true pseudo-randomness, by GRAS convention, in anything under 2^128 operations.
Third, any discovered ability to debug cryptographic software from the black box end-user perspective is almost universally regarded as itself being a bug, not a feature.
The truly ridiculous thing about the OpenSSH story is that everyone competent already knew that changes to this part of the system required explicit eyeball recruitment.
I'm a more competent driver than many other drivers in the parameters I personally care about (they might say the same, and also be correct). They say in chess that experts only see the good moves. Well, on the road, this "good move" filter should be considered hazardous. Most of my worst driving errors—the ones I've learned to notice—are where I simply fail to see that another driver might choose to push the lynchpin pawn of his or her king protection fortress. In chess, that leads to certain victory for the other side. On the road, that leads to exchanging paint or a fender bender, and contentious litigation over cause, a state of heated affairs one would rarely list under "certain victory". Therefore the wary driver should make a serious effort to tamp down any presumption of competence from anyone else. This is the hardest of driving skills to master. You're basically telling your mirror neurons to go to hell (there goes any presumption of multitasking), because the other side of the mirror is a certifiably crazy place.
I assume this is what happened in the OpenSSH saga. The original competent developers failed to put flags in the comments in all the right places to mandate extra eyeball review, because they simply couldn't comprehend that anyone would gain a commit bit to edit such a module and not already know this.
If my view is true, then one could say that OpenSSH was in fact hoist by the extreme shallowness of the risk posed, to the degree that the competent eyeballs failed to even imagine a dunce whose eyeballs who couldn't see it (they should, however, be roundly slapped for failing to conceive of a dunce whose vision was perfectly fine until impaired by a copious application of NSA grease, but with less than full decapitation mustard, as this threat vector remained mildly hypothetical prior to the horrific Snowden dump).
Overall score—way to not understand how maxims work.
I do grant that this maxim is far from perfect. Even on day one, it was properly understood as somewhat aspirational in tone, and as having a legitimate counter-propaganda mandate, because the reverse opinion (widely held) was even more wrong.
And you then submit your patches where??
Web Analytics has been capturing this data for the past 10-15 years, this is nothing new, its not a bug, its a feature everyone uses for web analytics
Exactly. Fixed almost instantly. As soon as the bug was in the news, there was also an open solution in the news. When the eyes turned to the bug, it became shallow. And not before that, of course.
And THAT is why I use Chrome for surfing porn!!!
In existence for how many years though?
That's not on topic, you're just burbling words and hoping somehow it might add up to a point.
Do try to comprehend words before replying to them.
https://en.wikipedia.org/wiki/.... Now off you fuck, there's a good boy.
Sorry little boy, you were born yesterday and you didn't play nice so you were stupid and ignored too. When you've been here as long as I have, you don't care what idiot new users blather about.