Forgot your password?
typodupeerror
Microsoft

Microsoft Security Patch Fixes URL Security Flaw 545

Posted by simoniker
from the no-more-typing-URLs dept.
loteck writes "Microsoft has just released Security Update 832894. According to their official information, it affects all NT kernel versions of Windows and most versions of Internet Explorer. Here's a rundown of the important fixes, notably 'A vulnerability that involves the incorrect parsing of URLs that contain special characters' in Internet Explorer, as previously discussed on Slashdot."
This discussion has been archived. No new comments can be posted.

Microsoft Security Patch Fixes URL Security Flaw

Comments Filter:
  • by AuMatar (183847) on Monday February 02, 2004 @07:16PM (#8164185)
    I can stop typing in all my links by hand?

    Oh wait- I use Mozilla. I didn't need to do that anyway.
    • Re:Does this mean (Score:5, Informative)

      by SultanCemil (722533) on Monday February 02, 2004 @07:23PM (#8164282)
      Wait mozilla supports HYPERLINKS? wow. I do need to upgrade my browser.

      Seriously, though - I think one of the bigger changes in this release is that IE no longer support username/password in the URL (http://me:you@whatever.com). No more easy pr0n surfing.

      • Re:Does this mean (Score:5, Informative)

        by interiot (50685) on Monday February 02, 2004 @07:43PM (#8164478) Homepage
        Huh. I had kind of assumed that the username/password was part of the official URI spec, but apparently not [w3.org]:
        • httpaddress
          • h t t p : / / hostport [ / path ] [ ? search ]

          ftpaddress
          • f t p : / / login / path [ ftptype ]

          login
          • [ user [ : password ] @ ] hostport

          hostport
          • host [ : port ]
        • Re:Does this mean (Score:4, Interesting)

          by the_mad_poster (640772) <shattoc@adelphia.com> on Monday February 02, 2004 @07:53PM (#8164563) Homepage Journal

          Not sure what you were looking for specifically, but the user:pass@host scheme is defined in RFC 1738 [rfc.net].

          And, no, they're not breaking the spec. It's optional:

          Some or all of the parts ":@", ":", ":", and "/" may be excluded.

          They're just being dumb. As usual.

          • Re:Does this mean (Score:5, Informative)

            by Holi (250190) on Monday February 02, 2004 @08:29PM (#8164901)
            No for http requests the username and password are NOT allowed.

            RFC 1738 - Page 8
            3.3. HTTP

            The HTTP URL scheme is used to designate Internet resources accessible using HTTP (HyperText Transfer Protocol).

            The HTTP protocol is specified elsewhere. This specification only describes the syntax of HTTP URLs. An HTTP URL takes the form:

            http://(host>):(port)/(path)?(searchpart)

            where and are as described in Section 3.1. If : is omitted, the port defaults to 80. No user name or password is allowed.

          • Re:Does this mean (Score:5, Interesting)

            by gunpowder (614638) <slash...dot...xam@@@recursor...net> on Monday February 02, 2004 @08:49PM (#8165084)
            I love people referencing to some RFC, but then not reading it themselves :-P

            You said "the user:pass@host" scheme is optional. This is right and wrong. This is described in Section 3.1 of RFC 1738, which describes the Common Internet Scheme Syntax, or the general form that URL can take.

            The user:pass@host scheme is described as "optional" in the meaning that specific URL schemes can make use of them or not. A URL scheme can decide not to adopt/allow the 'user:pass@host' scheme at all.
            Specific URL schemes for FTP, HTTP, MAILTO etc. are defined in Sections 3.2 - 3.11. These Sections describe what is allowed for each URL scheme (protocol ) and not.

            Let's look at HTTP (excerpt from the RFC):


            An HTTP URL takes the form:

            http://<host>:<port>/<path>?<searchpart>

            where and are as described in Section 3.1. If :<port>
            is omitted, the port defaults to 80. No user name or password is
            allowed.



            Also your remark "They're just being dumb. As usual." is wrong.
            Actually they finally conform to a open specification!
      • Re:Does this mean (Score:5, Insightful)

        by mickwd (196449) on Monday February 02, 2004 @07:47PM (#8164513)
        Yes, I'm a little surprised there hasn't been more of a fuss over this.

        Is this really the best Microsoft can do ?

        Whenever a URL with an "xxx[:yyy]@" prefix is clicked or entered, why couldn't they pop up a login dialog box, specifying the name of the site (WITHOUT the xxx[:yyy]@ prefix), filling in the user name and password (i.e. the "xxx" and "yyy" in the appropriate fields), and asking for confirmation of the site to be visited ?

        Or at least allow a configurable option such as "Disallow username/password in URLs / Prompt with Dialog Box / Allow" (with the default set to Disallow). That way, advanced users would still be able to use the username:password@ syntax if they enable the option. It's actually pretty useful as a quick way to transfer files by FTP, so I hope it's still supported over FTP.
        • Re:Does this mean (Score:5, Informative)

          by pen (7191) on Monday February 02, 2004 @08:01PM (#8164646)
        • by Anonymous Coward on Monday February 02, 2004 @08:21PM (#8164844)
          This patch doesn't cover much, it's more like a Security pastie.
    • Yes indeed. Actually, if they did implement the workaround as initially designed, IE users will be unable to navigate such links when using SSL.

      Of course, Moz/Fb/Opera will continue to operate as usual ;)

      As an aside, there are many other fixes in this update that may be "hidden" under this obvious one... time to RTFA again at subsonic speed.

  • by vargul (689529) on Monday February 02, 2004 @07:16PM (#8164196) Journal
    hm... they should patch IE up to be mozilla for example... that could be called a patch...
    • by jonfromspace (179394) <jonwilkinsNO@SPAMgmail.com> on Monday February 02, 2004 @07:20PM (#8164252)
      No offense... but this is getting old.

      Yes, Mozilla is better than IE in alot of cases... but don't forget, the average user still uses the internet for email, online banking, and news sites.

      And guess where you are more than likely to run into an "I.E. reccomended" site? Online banking.

      Yes, "developers should...", but Developers should do a lot of stuff that they never will. Reality is, Mozilla is a far way from replacing I.E.
      • by roystgnr (4015) <roystgnrNO@SPAMticam.utexas.edu> on Monday February 02, 2004 @07:31PM (#8164369) Homepage
        Yes, Mozilla is better than IE in alot of cases... but don't forget, the average user still uses the internet for email, online banking, and news sites.

        So do I.

        And guess where you are more than likely to run into an "I.E. reccomended" site? Online banking.

        Not at my little bank [bankofamerica.com].

        Reality is, Mozilla is a far way from replacing I.E.

        Well, if your bank sucks, I suppose so. I'd be curious about which bank it is, though; the only place I still see "You should have Internet Explorer!" pages is zone.msn.com.
        • You know (Score:5, Insightful)

          by Sycraft-fu (314770) on Monday February 02, 2004 @09:22PM (#8165330)
          It's MUCH harder to change your bank than to patch your browser. While you might still be in the student phase of life where you've got nothing but some pizza and beer money in the account, and hence not much to transfer to another bank, it can be a real pain if you have something like, say, a mortgage on a house. If you do, you have two options:

          1) Refininance at a new bank. This can cost you money, and, if intrest rates go up, give you a wrose rate.

          2) Move your checking/savings, and leave your mortgage, which means you need to do bussiness with two banks.

          Idealism with browers is all well and good but there are real world concerns with simply telling a bank to stick it in many cases.

          Some banks just suffer from a case of being stupid with browsers. One of my coworkers had a bank like that. They actually supported netscape too, but thing was they did NOT support Mozilla. I've a feeling it would actually have worked fine, but their little script checked the browser ID and refused to let him try and log in.
          • Re:You know (Score:4, Interesting)

            by roystgnr (4015) <roystgnrNO@SPAMticam.utexas.edu> on Monday February 02, 2004 @11:36PM (#8166192) Homepage
            It's MUCH harder to change your bank than to patch your browser.

            Yes, it is. You should try the "fake user agent" patches that others have suggested, for example; they usually come in the cross-platform installer (.xpi) format that Mozilla and Firebird can install in two clicks.

            While you might still be in the student phase of life where you've got nothing but some pizza and beer money in the account, and hence not much to transfer to another bank

            Nice wisecrack, but you don't need to feign concern; I don't drink and I've got a few years pizza money saved up should it come to that.

            When I do get a home mortgage, though, could you let me know which banks I ought to be avoiding? For such a serious concern it's odd how abstract this whole thread is. A brief "I banked with X, their website doesn't suppor Mozilla, and when I tried contacting their webmaster and using a user-agent faker the results were Y and Z" would be helpful.

      • Re:the needed patch (Score:5, Informative)

        by Trogre (513942) on Monday February 02, 2004 @07:40PM (#8164450) Homepage
        Reality is, Mozilla is a far way from replacing I.E.

        Perhaps so, but I use the web for business and recreation on average 6 hours a day, and have never in the last three years had to resort to IE.

        Except, that is, for ensuring that web pages I write render correctly on the lowest common denominator.

      • by Anonymous Coward on Monday February 02, 2004 @07:42PM (#8164466)
        Considering IE is less secure than Mozilla it's alarming to me that any bank would "require" it.
      • I've been using Bofa online banking [bofa.com] for over a year now with Firebird with NO problems except one small CSS issue that appears when setting up a payee in Bill-Pay.

        Instead of complaining about banks that recommend IE, move to BofA and tell your existing bank why you are moving!

        "Blah blah, status quo, what can you do?"... as soon as it hurts their pockets, they'll add Mozilla support.

        Don't just move for the tech though - the BofA system is very well thought out and feature rich and sells itself pretty we

      • Re:the needed patch (Score:5, Interesting)

        by the_mad_poster (640772) <shattoc@adelphia.com> on Monday February 02, 2004 @08:11PM (#8164746) Homepage Journal

        I just canceled a credit card with MBNA because they added a browser sniffer that kept telling me I had "an older version of Netscape" and I needed to upgrade. Wouldn't let me into the site on FB 0.7 on Linux, so I sent them a nice little "fuck you too" cancel request explaining that their site is broken and that's why I'm canceling.

        And yes, the site worked just fine in FB 0.7 once I sent an IE 6.0 UA.

        I make it a point to relentlessly hound businesses that pull that little stunt. I also post their links on Open Source boards so everyone can get a shot at them. And don't tell me it's childish or rude or anything else - if they hadn't intentionally broken the site in the first place I wouldn't be obligated to tell everyone that the site is crippled. If they can't even hire half-competent web designers (or, more likely, if their management weren't typically incompetent and it actually listened to the web designers) why should I assume that they're capable of handling something as complex as my banking? They're cutting corners there, where else might they be?

    • Franly, the last time I checked Mozilla, the UI sucked. My apologies if they've changed the fundamentally flawed UI since I've last checked.

      But seriously, I've actually taken advantage of the IE/Windows integration, the fact that your FAvorites are acutally files in folders, the way I can embed HTML in my OS taskbar to provide useful functions, and I can REMOVE and COMBINE (not just collapse to fewer pixels) the toolbars to make the best use of my high resolution screen.

      Despite the security problems whic
      • Re:the needed patch (Score:5, Interesting)

        by ejdmoo (193585) on Monday February 02, 2004 @07:42PM (#8164468)
        Think Firebird [mozilla.org]. I hated Mozilla, loved Firebird. :)
      • Re:the needed patch (Score:5, Interesting)

        by tupps (43964) on Monday February 02, 2004 @07:48PM (#8164518) Homepage
        Grab Mozilla/Opera/Whatever and use Tabs for a little while. I cannot use any browser now without tabs. Having 10 pages open is no problem, and it is great when you come to a site and need to look at 10 different articles that might interest you (eg Slashdot front page). Also Mozilla has a pretty extensive scripting language behind it. I beleive that the Calendar module is written purely in that scripting language. Thanks Luke
        • Slashdot is the best use of tabs I've found to date. I LOVE being able to open a new tab with the "Reply to This" links. Another awesome use is when spillover occurs and I can't see all the comments I want to. I can just hit the "x comments below..." links to open them in new tabs, then close the tabs down as I read up through the "hidden" posts in a long thread. Since the tabs open chronologically (unlike windows which just sort of scatter), this works REALLY well.

      • Re:the needed patch (Score:4, Interesting)

        by Mr_Matt (225037) on Monday February 02, 2004 @07:50PM (#8164539)
        And before anyone tries to call me lazy, I challenge any mouse-wheel addicted user to disable the wheel.

        Challenge met, sir, let me get my hammer...

        *whomp* *whomp* *WHOMP* ...yeah, that ought to do it. :)

        And while I appreciate that you enjoy the features you list above (fav's in folders, taskbar access, toolbar mobility) they're not for everyone. Me, for example - I tend to struggle with Microsoft's 'You Must Double-Click A Lot To Get Your File Structure Sorted' hierarchy, and all those damn toolbars just eat space on my not-so-high resolution screen. To each their own, I suppose.

        Anyways, if you haven't already, try Firebird - you lose some of the things you like, but the UI is about as intuitive as any I've used, especially in Linux. Cut-n-pasting URLs into new tabs with four mouse clicks and a whammy on the NumPad key just looks cool.
        • Re:the needed patch (Score:3, Informative)

          by bonch (38532)
          Me, for example - I tend to struggle with Microsoft's 'You Must Double-Click A Lot To Get Your File Structure Sorted' hierarchy, and all those damn toolbars just eat space on my not-so-high resolution screen. To each their own, I suppose.

          So set Explorer to single-click folders, and remove toolbars or size their graphics to Small.
  • I am sure M$FT will spin it as if this is an innovative feature.

    S
    • by Anonymous Coward
      You know, lots of people roll their eyes when they see someone refer to Microsoft as 'M$' or Windows as 'WinBlowz' or something like that. Some people might even go as far as to flame you for it. Personally, I'm all in favour of it! Nothing makes me happier when I see someone make fun of Microsoft in that way! You know why? Because the quicker I see 'M$' or 'WinDOS' in a comment, the quicker I can disregard everything you've wrote, scroll past your post and add you to my 'retarded peon' list, never to take
    • by narfbot (515956) on Monday February 02, 2004 @07:26PM (#8164323)
      Read the new knowledge base article for more goodies. They say URL's in username:password format are no longer supported -- I read that as they removed the support for the format to fix the bug! And then read how they suggest to switch scripting (ActiveX?) to prompt before running. So with IE, they no longer have the URL parameters other browsers safely support, and you have to wade through a bunch of "Scripts are normally safe? Run anyways?" popups. =/ Don't seem like a solution for me.
      • Yes, but they did provide warning:

        http://support.microsoft.com/default.aspx?scid=k b; [LN];834489

        Note that this KB article was changed today to reflect that it is indeed in this patch, however, this article has been up since Early January or so...

        Not that I think it's the right way to do things, but they did provide some warning that it was coming.
  • by Anonymous Coward on Monday February 02, 2004 @07:17PM (#8164210)
    Now check your in-boxes and make the InterWeb a Safer Place TM.
    • Oh, right, that "January 2004, Cumulative Patch" that was written with very poor grammar, that I get 50 copies a day sent to my mailbox.

      It also says "Thank you for using Microsoft products," something that I have never heard M$ say, ever, and also despite the fact that I don't regularly use "Microsoft products."

  • by Anonymous Coward on Monday February 02, 2004 @07:17PM (#8164211)
    Nice try Microsoft. I'm not clicking links [microsoft.com] while running IE, as per your instructions!
  • by Anonymous Coward on Monday February 02, 2004 @07:18PM (#8164220)
    I wonder what happened to the other 832893 security updates?
  • by FuzzyFurB (148573) on Monday February 02, 2004 @07:18PM (#8164221) Homepage
    I'm supprised we still post this stuff. It's a never-ending saga. People find massive holes in IE. Microsoft ignores problems. People exploit problem. Microsoft, slowly, responds. Why does half of Slashdot's users still use Internet Exploiter? Get the monkey off your back, switch to Mozilla Firebird [mozilla.org]. :)
  • So why is MS posting this? Nothing in this seems like it can't wait 8 days...

    Oh and for all of you who don't use Windows SUS - why not? I'm going to patch 350 machines with 5 clicks later this week. Stop your bitchin and get better tools.
  • by Mr. McGibby (41471) on Monday February 02, 2004 @07:20PM (#8164248) Homepage Journal
    The files that this patch affects reveal a little tidbit of info about how Windows is put together and it makes one ask the question:

    Why the hell does this require a kernel patch?
  • by Coryoth (254751) on Monday February 02, 2004 @07:21PM (#8164260) Homepage Journal
    I was under the impression that their fix was simply make http(s)://user:password@www.address.net invalid. If so, that's not so much a fix, as just deciding to break some functionality. Can someone confirm that this is what the "fix" actually is?

    Jedidiah
    • It is exactly that. Breaking RFCs. I forget the number, but someone posted it in the last slashdot article about this.

    • Doesn't this violate some kind of standard, getting rid of the user:pass@ syntax? I mean, I haven't used it a lot but occasionally, yeah.

      Arbitrary decisions to alter the working of the internet just like this seem very incorrect to me. Wouldn't some kind of warning suffice?

      Like,
      "Warning: the link you just clicked contains a username - the website address might be deliberately spoofed!

      [ ] Don't show this again."
      - or something like that...
    • by Squarewav (241189) on Monday February 02, 2004 @07:38PM (#8164421)
      I was under the impression that their fix was simply make http(s)://user:password@www.address.net invalid. If so, that's not so much a fix, as just deciding to break some functionality. Can someone confirm that this is what the "fix" actually is?
      That method of user/password should have never been alowed in the first place. Sure its easy but come on, yah broadcasting your username and password to every node along the way is such a good idea, saves some trouble of pharseing the html. not to mention any spyware that sends back what you type into the adress bar
  • I switched away from IE a while ago because the browser windows would mysteriously disappear while using Microsoft's own Virtual Desktop Manager. Firebird works fine with it. It's ironic that Firebird integrates more well with one of MS's products than MS's own product does.
    • by koh (124962)
      The irony here is that Firebird probably works on VDs only because it _only_ uses _documented_ WIN32 APIs.

      When you expose things to the outside, you have to make them work. Not so for the inside hacks. Too bad :)
  • by southpolesammy (150094) on Monday February 02, 2004 @07:21PM (#8164264) Journal
    notably 'A vulnerability that involves the incorrect parsing of URLs that contain special characters' in Internet Explorer

    So now all those goatse URL's finally parse back to the trolls at /.
  • by swimfastom (216375) on Monday February 02, 2004 @07:21PM (#8164266) Homepage
    Patches..."A vulnerability that involves the incorrect parsing of URLs that contain special characters. When combined with a misuse of the basic authentication feature that has "username:password@" at the beginning of a URL, this vulnerability could result in a misrepresentation of the URL in the address bar of an Internet Explorer window."

    I can't believe it takes Microsoft so long to fix major flaws like this. Honestly, why does it take 60,000 programmers 60 days to fix an IE URL error?
  • by HungWeiLo (250320) on Monday February 02, 2004 @07:23PM (#8164288)
    So you don't have to match up the knowledge base numbers in WindowsUpdate:

    Here [mozilla.org]
    Here [opera.com]
    Here [kde.org]
    Here [apple.com]
  • by Anonymous Coward on Monday February 02, 2004 @07:24PM (#8164298)
    I saw it on tv last night. I think it was

    http://microsoft.com/download/patch/win32/2004/f eb/en/?&mid=2304520392lHKJH09728037420987&dll=LKJ2 3L4SD09UVC9432J5JS-9UDFLKJN345U9SLKJ4L5U0SJCS4
  • by MemRaven (39601) <<kirk> <at> <kirkwylie.com>> on Monday February 02, 2004 @07:24PM (#8164300)
    My mom got this email this morning which purported to be from someone at Microsoft referring to this exact patch as something she could download. The only problem (aside from the fact that even my mom wouldn't have been dumb enough to type sensitive information into a form like that, AND she uses Mozilla anyway) is that the link in the email USED the flaw that it was telling her to fix.

    In other words, some email/CC#/whatever harvester decided to pull a funny and use the correction for this flaw as a way to exploit the flaw. Now that I see that the described patch is legitimate, I'm actually laughing internally at the delicious irony.

    By the time my mom got the email, the target web site had already been taken down by the sysadmin of the host.

    None of this is to condone the action of the scum who blasted the email, but come on, that took some balls.

    • by lildogie (54998) on Monday February 02, 2004 @07:58PM (#8164622)
      This just points out the fundamental flaw of Windows Update: a smart hacker would attack the update process that's used to harden the system.

      Just wait.
    • "Score:5, Funny"? Unfortunately MemRaven isn't joking - I got one of these things too, from Korea in my case although the standard of English and spelling in the body makes me the the origin was the US. Here's the body, so you can see for yourself - the Subject was "Microsoft Security Update KB872446":

      Dear Valued User!

      At 2 : 12 Eastern Time on Friday-January 30, 2004,
      Microsoft started investigating reports of a variant of a new worm "Novarg", known as Mydoom.B.

      This virus reportedly blocks access t

  • by andman42 (721375) on Monday February 02, 2004 @07:26PM (#8164316)
    'A vulnerability that involves the incorrect parsing of URLs that contain special characters' in Internet Explorer

    Yeah, the special characters www.google.com now correctly parse to search.msn.com
  • by loteck (533317) on Monday February 02, 2004 @07:27PM (#8164327) Homepage
    I don't know if these last security holes were just the straw that broke, but I've had no fewer than 20 people comment to me over this last week that they are sick of IE, and are lookin for alternatives.

    It's also been a hotter-than-usual topic on Usenet. There really seemed to be a mass exodus from IE over the last couple of weeks, perhaps due to what people feel is blatant neglect by Microsoft.

    I left IE as well last week, opting instead for Opera [opera.com], and really couldn't be happier. Screw 'em, I want my tabbed browsing!

  • "This Internet Explorer cumulative update also includes a change to the functionality of a Basic Authentication feature in Internet Explorer. The update removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or Windows Explorer after you install this software update:

    http(s)://username:password@server/resource.ext "


    ...and even though they conti
    • Yeah, really...why do you ask?

      Since /.'ers seem to get technological tunnel vision, so here's a few hints on what the average user is really like:

      1. They are convinced the monitor is actually the computer. I don't know what they think that big tower does, but since they have it piled high with boxes, blankets, and it holds up their space heater, they've more than likely forgotten that its there.

      2. They have cable / dsl that they use to connect to aol and they have absolutely no firewalls or virus pro
    • by ad0gg (594412) on Monday February 02, 2004 @08:06PM (#8164687)
      URL RFC [ohio-state.edu]

      If : is omitted, the port defaults to 80. No user name or password is allowed. is an HTTP selector, and is a query string. The is optional, as is the and its preceding "?". If neither nor is present, the "/" may also be omitted.

      They are conforming to the RFC. Username/Password is a hack. First people complain that IE doesn't follow RFC, and when they do, you still fucking complain.

    • If you are referring to the URI request for comments then you are wrong, it's not a standard. Check it out [w3.org] for yourself, the login syntax ([ user [ : password ] @ ] hostport) is only mentined inside of telnet:// and ftp:// not http:// or https://
  • by Anonymous Coward on Monday February 02, 2004 @07:32PM (#8164379)
    It merely removes the feature containing the flaw. For an implementation of the feature without the flaw, see http://www.mozilla.org/
  • Microsoft is so market driven it makes me laugh. They seem to only release patches when the complaint buzz gets high enough. As I understand it, some of the vulnerabilities in IE have been known for almost a year. Glad to see security is such a priority.

    This incident, by the way, is why open source will continue to gain ground. There are no marketing nitwits working as gatekeepers.

  • by GoMMiX (748510) on Monday February 02, 2004 @07:34PM (#8164392)
    Every product has security vulnerabilities that are exposed to the public from time to time.... However, Microsoft seems to be the King of insecure. This is yet another example. And old news at that. The problem with Microsoft is the length of time they take to fix such horrid flaws in their software. They've had many months to produce a patch for this, and countless Microsoft users have suffered as a result. Good job, Microsoft, for proving you are a proud supporter of capitalism. You've managed to make a select few extremely wealthy by ripping off your users, using a slew of vulnerabilities that are continually left unchecked for extended periods of time. It's sad, really, Microsoft doesn't even care about the bad press anymore. They're immune to it, everyone knows their products are insecure and feel they have no alternative choice. That's going to change someday, and Microsoft is going to have to actually earn their customers by providing good [secure] products and services then. Though, I doubt it will ever matter - really. Microsoft is simply too large and too wealthy - even if no one ever bought another Microsoft product again - the company could survive forever just on it's current assets. Talk about a load of smelly poo...
  • Why not just use k-meleon and be done with it? Its fast if not the fastest browser on Windows. Based on Gecko, its got all of the stuff that mozilla does, but none of the heavy GUI (K-meleon is pure MFC).

    http://kmeleon.sourceforge.net [sourceforge.net]
  • Fixed Indeed (Score:5, Interesting)

    by quantaman (517394) on Monday February 02, 2004 @07:39PM (#8164430)
    This Internet Explorer cumulative update also includes a change to the functionality of a Basic Authentication feature in Internet Explorer. The update removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or Windows Explorer after you install this software update:

    http(s)://username:password@server/resource.ext


    Unfortunatly this isn't fixed as it should be, ie you're shown the entire link in the address bar and maybe even given a warning when you go to the site. Instead they fixed this by not allowing the '@' character in addresses as was suggested they might here. Hadn't they been saying previously that problem this was unfixable presumably the reason for disallowing the '@' alltogether rather than a real fix. I have two questions, first what kind of codebase do they have that they can't make a real fix?!? Sure it might be a bit of a pain but it's obviously possible since no other browser is affected (heck I even tried IE for mac yesterday and it handled it perfectly!). They obviously handle the url properly at some point since you visit the proper site, they should be able to display the url properly!
    Next, what is the effect of them deprecating the '@' tag? I don't recall ever seeing this in the wild and can't really see a lot of use in microsoft.com@slashdot.org, of course the example they give is username:password but I can't see any real site displaying the password in plaintext in the url, does anyone have an example of where this is used and what the effects will be?
    • Re:Fixed Indeed (Score:3, Interesting)

      by StaticLimit (26017)
      If they can't fix the problem by allowing the real URL to be displayed then I have to ask what they are using this special character for?

      I can't think of a good reason for having a special character in the first place that suppresses display of everything after it unless Microsoft needs it for some special purpose behind the scenes.

      Can you just accidently end up with these things? Is it because the common controls they use have this "feature" which is needed in other applications and so IE just inherited
    • Re:Fixed Indeed (Score:4, Interesting)

      by spitzak (4019) on Monday February 02, 2004 @09:21PM (#8165318) Homepage
      I agree. I am absolutely floored by how stupid this "patch" is. It does not even address the basic bug! (the basic bug is that the preview always ends at a %00).

      There are a hundred other fixes they could do that would be better than this one. It is going to break sites! Certianly in-house things use this plenty for low security, and it should be quite good security for one-off passwords that only work for a very short time.

      Number 1 fix would be to preview the url in it's entirety. %00 should show as %00.

      Now a lot of people have pointed out that the '@' syntax still fools a lot of people anyway (that was why a bunch of MS trolls claimed the same bug was in Mozilla, because they were stupid enough to be fooled by this). So number 2 fix, while they are looking at that code, is change it so that everything before the @ is not displayed. This also will hide the username/password for (obviously weak) security.

      Removing the '@' does nothing for people fooled by "//www.microsoft.com.evil.org" thinking it goes to Microsoft and not Evil. So maybe rearrange URL's like "//com.evil.org(www.microsoft.com.evil.org)/..." or come up with a new standard for previewing them like "///org/evil/com/microsoft/www//..." so the most importante information is first. Obviously this is tough to design, but Microsoft could do this and perhaps impress people here, rather than annoy them with their incredibly lame "solutions".

      . This is getting more tricky since it could be used to hide information
  • by Progman3K (515744) on Monday February 02, 2004 @07:52PM (#8164553)
    And since MS has closed-source, I can never be sure, therefore I won't use Microsoft anymore.

    They're a breeding-ground of spam and everything that's out of control is their own fault due to their policies.

  • click here (Score:5, Funny)

    by danZenie (613768) on Monday February 02, 2004 @07:56PM (#8164591) Homepage
    i threw away my mouse when they suggested no clicking on URLs. now they fsck it and i have now mouse, what am i gonna do? hmmm, i should post this as an "ask slashdot".

  • RFC 1738 (Score:5, Informative)

    by BSDevil (301159) on Monday February 02, 2004 @07:58PM (#8164614) Journal
    Turns out this behaviour is specified in RFC 1738 (Uniform Reasource Locator), where it defines a URL as being of the form:

    //<user>:<password>@<host>:<port>/<url-pa th>

    Although the RFC does go on to stipulate that "[s]ome or all of the parts '<user>:<password>@', ':<password>', ':<port>', and '/<url-path>' may be excluded." Oddly enough, this form is broadly defined as being the general form of URLs, but is not the form of HTTP URLs (which lack the username and password). The RFC seems to indicate that this functionality was designed with FTP in mind - anyone know if MS disabled it for all URLs, or just http ones?
  • by antdude (79039) on Monday February 02, 2004 @07:58PM (#8164615) Homepage Journal
    You can read the details here [broadbandreports.com] and here [broadbandreports.com] (original thread). It was caused by an update released back in November 2003.
  • by chrisgeleven (514645) on Monday February 02, 2004 @08:08PM (#8164713) Homepage
    My university uses an Exchange 2003 server for its e-mail. Well apparently this patch breaks logon using Outlook Web Access on that server. Turns out the username and password is in the URL being sent to the server, the same thing this patch kills.

    Not sure if this is the way it is with every Exchange server or if it is how my university's server is configured, but if you use OWA you might want to be careful with this patch.
  • by Joe5678 (135227) on Monday February 02, 2004 @08:10PM (#8164743)
    ...is the text of the update on Microsoft's Software Update Services service...

    "...For example, an attacker could run programs on your computer while you view a Web page. This affects all computers with Internet Explorer installed (even if you don't run Internet Explorer as your Web browser)..."

    although there's no mention of that in the KB article.
  • by Penguinshit (591885) on Monday February 02, 2004 @08:18PM (#8164817) Homepage Journal

    From the alert:

    * For example, an attacker could create a link that once clicked on by a user would display http://www.tailspintoys.com in the address bar, but actually contained content from another Web Site, such as http://www.wingtiptoys.com. (Note: these web sites are provided as an example only, and both redirect to http://www.microsoft.com.)

    The link "tailspintoys.com" actually goes to "tailspingtoys.com" (which is not resolved at all).
  • by WD (96061) on Monday February 02, 2004 @08:40PM (#8165007)
    For starters, the MS page does not list Windows Me at all in the list of supported operating systems. But checking on my parents' machine (WinMe), that very cumulative IE update is listed on WindowsUpdate. I installed the update and here's how IE now behaves.

    When going to *any* URL with an "@" in it, IE will come up with an error page titled "Invalid Syntax Error" with the content:
    The page cannot be displayed
    The page you are looking for might have been removed or had its name changed.


    Once that error message is on the screen, any attempt to go to another URL with an "@" in the screen (by clicking on the URLBar and pressing enter, or typing in a different URL with an "@" in it) will cause IE to clear the page area to go blank and the throbber will continue spinning indefinately.

    This makes it appear that there is some sort of network connectivity problem, or that IE is somehow hung up. Typing in a normal URL will show that everything is fine.

    Also, this update doesn't fix the bug where IE displays an incorrect value in the status bar, such as this one: this one [secunia.com].
    (Though clicking the link on that page will fail with the above described error page)
  • Its Good Thing (Score:4, Insightful)

    by byron036 (178130) <rgant@@@alum...wpi...edu> on Monday February 02, 2004 @09:08PM (#8165226)

    I think this fix is a great thing. Now when my friends say "The porn sites won't work anymore" I can say "Here Try this [mozilla.org]"

    Finally Microsoft gives me a perfect answer to "But why should I switch?" questions.

Anyone can do any amount of work provided it isn't the work he is supposed to be doing at the moment. -- Robert Benchley

Working...