Slashdot Mirror
Internet Explorer Bug Leaks Whatever You Type In the Address Bar (arstechnica.com)
The latest version of Internet Explorer has a bug that leaks the addresses, search terms, or any other text typed into the address bar. The flaw was disclosed Tuesday by security researcher Manual Caballero. Ars Technica reports: The bug allows any currently visited website to view any text entered into the address bar as soon as the user hits enter. The technique can expose sensitive information a user didn't intend to be viewed by remote websites, including the Web address the user is about to visit. The hack can also expose search queries, since IE allows them to be typed into the address bar and then retrieved from Bing or other search services. The proof-of-concept makes it transparent that the attacking website is viewing the entered text. The hack, however can easily be modified to make the information theft completely stealthy. A proof-of-concept site shows the exploit in action.
Haven't Microsoft users switched to Edge by now?
#DeleteFacebook
like we have like "jenkins" for our CI server, but instead of doing a DNS lookup for that that returns an IP address since we have a properly setup search domain, it redirects us to a Bing search for jenkins. Microsoft really still doesn't grok DNS.
Yet another feature of a major browser that doesn't work on Firefox. I hope this will get resolved when they release that unified search/address bar.
lucm, indeed.
Is this some question rooted in making sure future privacy leaks happen faster, in a more standards-compliant way, with a different web rendering engine, or some other technocratic detail that tries to obscure the underlying non-freedom problem?
Since when would the non-free Edge browser be more trustworthy than the non-free Internet Explorer browser?
The problem is the lack of software freedom; even users skilled and willing to help themselves and others fix the problem are not given permission to know what proprietary software does (whether intentionally or by mistake). So after years of people using Windows (a known security leaky proprietary OS written by an organization that partners with spies like the NSA) more problems arise with Microsoft Internet Explorer (an apparently security leaky proprietary browser). Proprietary software users must either switch to a free software OS and run free software on that, or wait for a proprietor they can't trust to issue a fix.
Digital Citizen
All the three IE users have been warned.
Slashdot, fix the reply notifications... You won't get away with it...
And so does whatever web site you were already on when you pressed enter. That's the difference. For some reason, they update the JavaScript location object before actually navigating.
"New spoon has throws soup back into your face"
"Cat sues owner for pooping in its litter box"
"Internet Explorer leaks your address bar"
I tip my hat to the C64 background colours!
READY.
PRINT ""+-0
More than two days of static Slashdot. Can't we have a headline about that shit?
"The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
But riddle me this... shouldn't Microsoft by now have developed some manner of understanding of how to write software, so that these things Don't Happen?
Mod up this parent. I mean, really, WTF. This is /. not some social media site. We care about the site. And now, all of a sudden, we are being kept in the dark....
It's been over 25 years and FOSS hasn't solved the issue of computer security either; Open source browsers and OSs also require regular security patches.
"Many eyes make all bugs shallow" was pretty much debunked when OpenSSH was breached a few years ago. The code was open but only 4 eyes were looking at it.
For as large as the OSS crowd might be the OSS code base is many times larger and most people are drawn to the latest hotness like so many moths. The reason OSS security gets broken is because the devs are busy building automatic Jenga-robots or self driving boondoggles with GPUs. And why shouldn't they? They're not paid staff, that's the whole point.
The argument was never, "If you build it, they will all turn their eyes towards it checking for bugs."
The idea is that if you know you have a bug, because you use the software, and there is only the programmer at some company that is even allowed to look at the code, then they might not fix it, and they might not even have time or interest to try. Hard problems are often going to receive (if you're lucky) a work-around unless you're paying extra to get it fixed. The same situation with free software, the worse the problem is the more people are looking at it, and the easier it is to solve.
There was never anything about fixing bugs before you know about them because free software is magic. That part you made up yourself.
OSS security isn't broken, it is powering most of the infrastructure. But that isn't in the news, because "trains ran on time, 700 days uptime" isn't news.
I can't stand it when browsers try to turn what I type in the address bar into a search. First thing I do is turn that crap off. So whether it's Internet Explorer or not, the only thing "leaking" from my address bar is the address I typed.
Incompetence?
Slashdot, fix the reply notifications... You won't get away with it...
This is way better than the bugs IE6 used to have, 'back in the day.'
Requiem for the American Dream
Debunked isn't the way you spell pro ed. You can't identify bugs that were only identified and fixed BECAUSE it was open source and claim what you are claiming.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
People STILL use that POS???
You can look at the source fuckwit thatâ(TM)s how.
Like Heartbleed?
So this is why Linux desktop is awesome and without bugs?
It any maxim this pithy, language is being used in a special register where the "modulo" term is user supplied—if the user has the wits and can ass himself to do so.
There are so many things you got wrong here, do I need to strip gold stars off your chest on both sides of this equation?
First off, the OpenSSH bug was shallow, right from the get go, to any competent pair of eyes.
Second, cryptographic software is notorious for having failure modes that require exotic instrumentation and extreme wonk vigilance to so much as notice, from any perspective outside the black box.
The cryptographic PRNG is Exhibit A in defying external validation checks. If the cryptographic protocol exchanges random values, is your randomness compromised? Somebody else's cipher, enciphering with a key you don't know, actively leaking vital state from your most precious host (though at a fairly low bit rate) is indistinguishable from true pseudo-randomness, by GRAS convention, in anything under 2^128 operations.
Third, any discovered ability to debug cryptographic software from the black box end-user perspective is almost universally regarded as itself being a bug, not a feature.
The truly ridiculous thing about the OpenSSH story is that everyone competent already knew that changes to this part of the system required explicit eyeball recruitment.
I'm a more competent driver than many other drivers in the parameters I personally care about (they might say the same, and also be correct). They say in chess that experts only see the good moves. Well, on the road, this "good move" filter should be considered hazardous. Most of my worst driving errors—the ones I've learned to notice—are where I simply fail to see that another driver might choose to push the lynchpin pawn of his or her king protection fortress. In chess, that leads to certain victory for the other side. On the road, that leads to exchanging paint or a fender bender, and contentious litigation over cause, a state of heated affairs one would rarely list under "certain victory". Therefore the wary driver should make a serious effort to tamp down any presumption of competence from anyone else. This is the hardest of driving skills to master. You're basically telling your mirror neurons to go to hell (there goes any presumption of multitasking), because the other side of the mirror is a certifiably crazy place.
I assume this is what happened in the OpenSSH saga. The original competent developers failed to put flags in the comments in all the right places to mandate extra eyeball review, because they simply couldn't comprehend that anyone would gain a commit bit to edit such a module and not already know this.
If my view is true, then one could say that OpenSSH was in fact hoist by the extreme shallowness of the risk posed, to the degree that the competent eyeballs failed to even imagine a dunce whose eyeballs who couldn't see it (they should, however, be roundly slapped for failing to conceive of a dunce whose vision was perfectly fine until impaired by a copious application of NSA grease, but with less than full decapitation mustard, as this threat vector remained mildly hypothetical prior to the horrific Snowden dump).
Overall score—way to not understand how maxims work.
I do grant that this maxim is far from perfect. Even on day one, it was properly understood as somewhat aspirational in tone, and as having a legitimate counter-propaganda mandate, because the reverse opinion (widely held) was even more wrong.
And you then submit your patches where??
Exactly. Fixed almost instantly. As soon as the bug was in the news, there was also an open solution in the news. When the eyes turned to the bug, it became shallow. And not before that, of course.
In existence for how many years though?
That's not on topic, you're just burbling words and hoping somehow it might add up to a point.
Do try to comprehend words before replying to them.
https://en.wikipedia.org/wiki/.... Now off you fuck, there's a good boy.
Sorry little boy, you were born yesterday and you didn't play nice so you were stupid and ignored too. When you've been here as long as I have, you don't care what idiot new users blather about.