Microsoft Security Patch Fixes URL Security Flaw 545
loteck writes "Microsoft has just released Security Update 832894. According to their official information, it affects all NT kernel versions of Windows and most versions of Internet Explorer. Here's a rundown of the important fixes, notably 'A vulnerability that involves the incorrect parsing of URLs that contain special characters' in Internet Explorer, as previously discussed on Slashdot."
It's not the 2nd Tuesday... (Score:2, Informative)
Oh and for all of you who don't use Windows SUS - why not? I'm going to patch 350 machines with 5 clicks later this week. Stop your bitchin and get better tools.
Deprecating username/password in URLs (Score:5, Informative)
Jedidiah
Re:It's not the 2nd Tuesday... (Score:2, Informative)
Re:Does this mean (Score:5, Informative)
Seriously, though - I think one of the bigger changes in this release is that IE no longer support username/password in the URL (http://me:you@whatever.com). No more easy pr0n surfing.
Re:Deprecating username/password in URLs (Score:3, Informative)
Re:I'm supprised we even post this stuff... (Score:2, Informative)
Re:Why is URL parsing code in the kernel? (Score:1, Informative)
The poster was somewhat ambiguously referring to the versions of Windows that were affected, not the area of the system that was.
Re:Deprecating username/password in URLs (Score:5, Informative)
That method of user/password should have never been alowed in the first place. Sure its easy but come on, yah broadcasting your username and password to every node along the way is such a good idea, saves some trouble of pharseing the html. not to mention any spyware that sends back what you type into the adress bar
Re:Deprecating username/password in URLs (Score:3, Informative)
Re:the needed patch (Score:5, Informative)
Perhaps so, but I use the web for business and recreation on average 6 hours a day, and have never in the last three years had to resort to IE.
Except, that is, for ensuring that web pages I write render correctly on the lowest common denominator.
Re:the needed patch (Score:2, Informative)
I use several different email and news sites regularly and havent found any that dont work right.
Some will occasionally have very minor display issues.
MSN/MSNBC will have features that dont support other browsers but thats to be expected from MS.
*BTW Explorer is my preferred browser on my XP machine.
Re:Does this mean (Score:5, Informative)
ftpaddress
login
hostport
Bank of America highly recommended (Score:3, Informative)
I've been using Bofa online banking [bofa.com] for over a year now with Firebird with NO problems except one small CSS issue that appears when setting up a payee in Bill-Pay.
Instead of complaining about banks that recommend IE, move to BofA and tell your existing bank why you are moving!
"Blah blah, status quo, what can you do?"... as soon as it hurts their pockets, they'll add Mozilla support.
Don't just move for the tech though - the BofA system is very well thought out and feature rich and sells itself pretty well. I now pay all my bills through it. It even let's you send payments to individuals (I assume it mails them a check - never used it). I'm now down to writing 4 checks a month, and am hoping to eliminate those soon (I think my wife's going to take a little more coaxing though before she kicks the habit :).
cLive ;-)
Re:the needed patch (Score:2, Informative)
Same here - i work for Ames Lab (not NASA AMES, Dept of Energy Ames Lab in Ames, IA) - im the new webmonkey for the condensed matter physics page (http://cmp.ameslab.gov -- the current version of the page is NOT my work) I switch between Opera, IE and Mozilla for testing - but for my browsing needs it's been straight netscape/mozilla since the internet was invented -- not _once_ have i had a problem accessing banks, etc using Mozilla -- funny thing is my own community CC had more problems with IE users than netscape/mozilla users - N/M always comes with 128bit crypto, that wasn't true for IE until relatively recently, they'd have users locked out how having lame [sub-par] crypto.
I occasionally run into sites that are IE-only - they're typically M$ cronies sites, etc -- and when they're not and it's just surely ignorance I give the webmaster a [polite] earful and generally the problem get's fixed.
BTW: Hurray for IE actually conforming to the DOM2 standard finally - i don't have to write seperate drop menu JS code for IE, NS/Moz and Opera
Re:Which standard? (Score:3, Informative)
Mozilla and I'm assuming Firebird do have this functionality.
RFC 1738 (Score:5, Informative)
//<user>:<password>@<host>:<port>/<url-pa th>
Although the RFC does go on to stipulate that "[s]ome or all of the parts '<user>:<password>@', ':<password>', ':<port>', and '/<url-path>' may be excluded." Oddly enough, this form is broadly defined as being the general form of URLs, but is not the form of HTTP URLs (which lack the username and password). The RFC seems to indicate that this functionality was designed with FTP in mind - anyone know if MS disabled it for all URLs, or just http ones?
Also, this fixes the scroll bar issue... (Score:5, Informative)
A Quote From the Bugtraq Mailing List (Score:2, Informative)
"...the RFC specification says that http authentication is not allowed in a http url, it is allowed in a generic URI but not for HTTP urls, this is an exception! RFC 1738 - Page 8
So, Microsoft is in fact sticking to the RFC this time, something they should have done long time ago. I have been blocking this "http authentication" in every mail I received on my domain for over a year, but when I saw the IE url obfuscation issue a few weeks back, I was amased that nobody knew this, so I thought I was wrong and that's why I didn't reply. Microsoft still gets a "D" from me for this big mess!"
Re:Does this mean (Score:5, Informative)
Patch breaks OWA in Exchange 2003 (Score:4, Informative)
Not sure if this is the way it is with every Exchange server or if it is how my university's server is configured, but if you use OWA you might want to be careful with this patch.
Something really scary.... (Score:5, Informative)
"...For example, an attacker could run programs on your computer while you view a Web page. This affects all computers with Internet Explorer installed (even if you don't run Internet Explorer as your Web browser)..."
although there's no mention of that in the KB article.
Exactly what they said they were going to do... (Score:3, Informative)
http://support.microsoft.com/default.aspx?scid=
Note that this KB article was changed today to reflect that it is indeed in this patch, however, this article has been up since Early January or so...
Not that I think it's the right way to do things, but they did provide some warning that it was coming.
Typo in MS "official information" (Score:3, Informative)
From the alert:
* For example, an attacker could create a link that once clicked on by a user would display http://www.tailspintoys.com in the address bar, but actually contained content from another Web Site, such as http://www.wingtiptoys.com. (Note: these web sites are provided as an example only, and both redirect to http://www.microsoft.com.)
The link "tailspintoys.com" actually goes to "tailspingtoys.com" (which is not resolved at all).
Re:Ironic given an email my mom got (Score:3, Informative)
All in all, *very* slick. It plays on the current hype about MyDoom and the combination of the spoofed headers, "digital signing" and the offer to download from the website instead are/were no doubt sufficient to lull many who might not otherwise be taken in into the trap. The clueless n00bs who actually click on these things anyway would have had no chance. I'm actually impressed with the effort - this rank amatuer [theregister.co.uk] sure could learn a thing or two.
Re:Does this mean (Score:5, Informative)
RFC 1738 - Page 8
3.3. HTTP
The HTTP URL scheme is used to designate Internet resources accessible using HTTP (HyperText Transfer Protocol).
The HTTP protocol is specified elsewhere. This specification only describes the syntax of HTTP URLs. An HTTP URL takes the form:
http://(host>):(port)/(path)?(searchpart)
where and are as described in Section 3.1. If : is omitted, the port defaults to 80. No user name or password is allowed.
Re:RFC 1738 (Score:5, Informative)
Re:the needed patch (Score:2, Informative)
Here is the behavior of IE after patching.... (Score:5, Informative)
When going to *any* URL with an "@" in it, IE will come up with an error page titled "Invalid Syntax Error" with the content:
The page cannot be displayed
The page you are looking for might have been removed or had its name changed.
Once that error message is on the screen, any attempt to go to another URL with an "@" in the screen (by clicking on the URLBar and pressing enter, or typing in a different URL with an "@" in it) will cause IE to clear the page area to go blank and the throbber will continue spinning indefinately.
This makes it appear that there is some sort of network connectivity problem, or that IE is somehow hung up. Typing in a normal URL will show that everything is fine.
Also, this update doesn't fix the bug where IE displays an incorrect value in the status bar, such as this one: this one [secunia.com].
(Though clicking the link on that page will fail with the above described error page)
Re:Why is URL parsing code in the kernel? (Score:1, Informative)
Browseui.dll Mshtml.dll Shdocvw.dll Shlwapi.dll Urlmon.dll Wininet.dll
Re:Patch breaks OWA in Exchange 2003 (Score:3, Informative)
Re:Why is URL parsing code in the kernel? (Score:1, Informative)
Expand the section "Security Update Information".
Expand the section corresponding to the version you have.
You will see a table like the following:
Date Time Version Size File Name Platform
22-Jan-2004 00:21 6.00.2800.1400 1,026,048 Browseui.dll X86
22-Jan-2004 00:19 6.00.2800.1400 2,795,520 Mshtml.dll X86
22-Jan-2004 00:15 6.00.2800.1400 1,339,904 Shdocvw.dll X86
21-Jan-2004 23:18 6.00.2800.1400 395,264 Shlwapi.dll X86
22-Jan-2004 00:20 6.00.2800.1400 484,352 Urlmon.dll X86
22-Jan-2004 00:16 6.00.2800.1400 588,288 Wininet.dll X86
Re:It was updated (Score:5, Informative)
The security problem was spotted back in 1993 or 1994.
The problem was that the URI group was way out in hyperspace by then and not doing what people needed. There was an inordinate amount of effort went in to gopher URLs, the gopher losers wanted to have / be a normal character because it could appear in a Mac filename. The point about escape characters was lost.
Most browsers killed gopher because the protocol was so insecure, you could use a gopher URL to send any string you wanted to any port you wanted, ditto for finger.
The URIs that got used in practice were mostly the ones defined in Netscape. They did not give a wetslap for standards from the IETF or W3C, as far as they were concerned they defined the standard. They did not care much about security either, well not until it started to go embarrasingly wrong.
RFC 2396 does not supersede RFC 1738 (Score:2, Informative)
However, there is a more recent specification for the HTTP scheme, and that is RFC 2616 (describing HTTP/1.1). It agrees with RFC 1738: No "userinfo" part is allowed in an HTTP URL. And, since RFC 2616 is more recent than RFC 2396, it can't be superseded by RFC 2396 (but neither does it supersede RFC 2396).
Re:What standards are they breaking. (Score:2, Informative)
Re:Prove? (Score:3, Informative)
It is the only browser wherein I can remember such a hole, and I (try) to keep up with the security mailing lists...
Feel free to search bugtraq if you like.
Now then, I think that there were a few problems in some versions of Netscape/Mozilla, but I don't remember them being nearly as serious as the IE holes.
Re:Does this mean (Score:3, Informative)
2. You say that RFC 2396 supercedes RFC 1738, but you fail to mention whether this RFC is considered mandatory or not.
3. Even though RFC 2396 supercedes RFC 1738, it still doesn't allow the user:pass@host scheme for http://-URLs. Excerpt from RFC 2396:
The "some URL schemes" are those defined in RFC 1738 (since there are no definitions of specific URL schemes in this RFC 2396). So user:pass@host is STILL NOT ALLOWED or even mandatory by RFC 2396.
Re:the needed patch (Score:3, Informative)
So set Explorer to single-click folders, and remove toolbars or size their graphics to Small.
WUAUCLT.EXE changed (Score:2, Informative)
Re:Deprecating username/password in URLs (Score:1, Informative)
Go read then post.
Re:To be fair... (Score:1, Informative)
You still use Redhat 5 as well I guess?