Microsoft Security Patch Fixes URL Security Flaw 545
loteck writes "Microsoft has just released Security Update 832894. According to their official information, it affects all NT kernel versions of Windows and most versions of Internet Explorer. Here's a rundown of the important fixes, notably 'A vulnerability that involves the incorrect parsing of URLs that contain special characters' in Internet Explorer, as previously discussed on Slashdot."
Why is URL parsing code in the kernel? (Score:5, Interesting)
Why the hell does this require a kernel patch?
finally a username:password@ fix (Score:5, Interesting)
I can't believe it takes Microsoft so long to fix major flaws like this. Honestly, why does it take 60,000 programmers 60 days to fix an IE URL error?
Why patch - just reload OS every month (Score:0, Interesting)
Re:Why is URL parsing code in the kernel? (Score:5, Interesting)
Too Late. Installed Opera. (Score:3, Interesting)
It's also been a hotter-than-usual topic on Usenet. There really seemed to be a mass exodus from IE over the last couple of weeks, perhaps due to what people feel is blatant neglect by Microsoft.
I left IE as well last week, opting instead for Opera [opera.com], and really couldn't be happier. Screw 'em, I want my tabbed browsing!
Such a lame markting move (Score:2, Interesting)
This incident, by the way, is why open source will continue to gain ground. There are no marketing nitwits working as gatekeepers.
Re:Deprecating username/password in URLs (Score:2, Interesting)
Arbitrary decisions to alter the working of the internet just like this seem very incorrect to me. Wouldn't some kind of warning suffice?
Like, - or something like that...
This is exactly why MS products are so insecure... (Score:4, Interesting)
Re:Wow Security update # 832894 (Score:5, Interesting)
Fixed Indeed (Score:5, Interesting)
http(s)://username:password@server/resource.ext
Unfortunatly this isn't fixed as it should be, ie you're shown the entire link in the address bar and maybe even given a warning when you go to the site. Instead they fixed this by not allowing the '@' character in addresses as was suggested they might here. Hadn't they been saying previously that problem this was unfixable presumably the reason for disallowing the '@' alltogether rather than a real fix. I have two questions, first what kind of codebase do they have that they can't make a real fix?!? Sure it might be a bit of a pain but it's obviously possible since no other browser is affected (heck I even tried IE for mac yesterday and it handled it perfectly!). They obviously handle the url properly at some point since you visit the proper site, they should be able to display the url properly!
Next, what is the effect of them deprecating the '@' tag? I don't recall ever seeing this in the wild and can't really see a lot of use in microsoft.com@slashdot.org, of course the example they give is username:password but I can't see any real site displaying the password in plaintext in the url, does anyone have an example of where this is used and what the effects will be?
Re:Switched a while ago... (Score:3, Interesting)
When you expose things to the outside, you have to make them work. Not so for the inside hacks. Too bad
Re:the needed patch (Score:5, Interesting)
Re:the needed patch (Score:5, Interesting)
Re:the needed patch (Score:4, Interesting)
Challenge met, sir, let me get my hammer...
*whomp* *whomp* *WHOMP*
And while I appreciate that you enjoy the features you list above (fav's in folders, taskbar access, toolbar mobility) they're not for everyone. Me, for example - I tend to struggle with Microsoft's 'You Must Double-Click A Lot To Get Your File Structure Sorted' hierarchy, and all those damn toolbars just eat space on my not-so-high resolution screen. To each their own, I suppose.
Anyways, if you haven't already, try Firebird - you lose some of the things you like, but the UI is about as intuitive as any I've used, especially in Linux. Cut-n-pasting URLs into new tabs with four mouse clicks and a whammy on the NumPad key just looks cool.
Re:Does this mean (Score:4, Interesting)
Not sure what you were looking for specifically, but the user:pass@host scheme is defined in RFC 1738 [rfc.net].
And, no, they're not breaking the spec. It's optional:
Some or all of the parts ":@", ":", ":", and "/" may be excluded.
They're just being dumb. As usual.
Re:From Microsoft Security Bulletin (Score:3, Interesting)
Since
1. They are convinced the monitor is actually the computer. I don't know what they think that big tower does, but since they have it piled high with boxes, blankets, and it holds up their space heater, they've more than likely forgotten that its there.
2. They have cable / dsl that they use to connect to aol and they have absolutely no firewalls or virus protection.
3. They have no clue what a modem does versus what a network card does, but they do like to pick up on words they saw in the Best Buy ad, thereby running around saying "Why yes, I just recently upgraded my ethernet to thumb-drive."
4. They have no idea that windows update even exists, regardless of how annoying that systray icon becomes.
5. They've never heard of Linux, except maybe in that one IBM ad, but as its an IBM ad, they aren't going to bother to find out.
So they are "ignorant and lazy" as you say, but not everyone was blessed with your incredible technological ability at birth.
Re:Too Late. Installed Opera. (Score:3, Interesting)
Re:why not just use k-meleon? (Score:1, Interesting)
It's great (nice and fast even on old PCs that can't run Mozilla or Firebird at adequate speed), but it lacks functionality and polish compared to vanilla Mozilla. It's very extensible if your idea of extensibility is messing around with config files, however.
One thing that sucks is the menus. "Rebar" = ugly hack (you can't use alt shortcuts to activate the menus unless you turn rebar OFF). Also, I don't like its version of tabs. Creating, closing, or switching between "layers" (tabs) causes the window's taskbar tab to move to the rightmost side of the Windows taskbar. Not good.
Don't get me wrong - for some uses, it's the best browser out there. But it's not for everybody, and for those who would use it regularly, it takes even more configuration time to tune/fix than other browsers do.
Re:Ironic given an email my mom got (Score:5, Interesting)
Just wait.
What standards are they breaking. (Score:5, Interesting)
If : is omitted, the port defaults to 80. No user name or password is allowed. is an HTTP selector, and is a query string. The is optional, as is the and its preceding "?". If neither nor is present, the "/" may also be omitted.
They are conforming to the RFC. Username/Password is a hack. First people complain that IE doesn't follow RFC, and when they do, you still fucking complain.
Re:the needed patch (Score:5, Interesting)
I just canceled a credit card with MBNA because they added a browser sniffer that kept telling me I had "an older version of Netscape" and I needed to upgrade. Wouldn't let me into the site on FB 0.7 on Linux, so I sent them a nice little "fuck you too" cancel request explaining that their site is broken and that's why I'm canceling.
And yes, the site worked just fine in FB 0.7 once I sent an IE 6.0 UA.
I make it a point to relentlessly hound businesses that pull that little stunt. I also post their links on Open Source boards so everyone can get a shot at them. And don't tell me it's childish or rude or anything else - if they hadn't intentionally broken the site in the first place I wouldn't be obligated to tell everyone that the site is crippled. If they can't even hire half-competent web designers (or, more likely, if their management weren't typically incompetent and it actually listened to the web designers) why should I assume that they're capable of handling something as complex as my banking? They're cutting corners there, where else might they be?
Re:the needed patch (Score:3, Interesting)
Slashdot is the best use of tabs I've found to date. I LOVE being able to open a new tab with the "Reply to This" links. Another awesome use is when spillover occurs and I can't see all the comments I want to. I can just hit the "x comments below..." links to open them in new tabs, then close the tabs down as I read up through the "hidden" posts in a long thread. Since the tabs open chronologically (unlike windows which just sort of scatter), this works REALLY well.
Re:Why is URL parsing code in the kernel? (Score:1, Interesting)
He never claimed it did. He said he looked at the patch file and it patches the kernel. From what I can tell you didn't bother to check and just had a knee jerk fanboy reaction.
So mod me down, you know it's the truth.
I'd love to know what's true. I don't know how too open Microsoft patch files. I don't even know how to download them anymore. Can someone answer this instead of adding more flames?
Re:I'm supprised we even post this stuff... (Score:3, Interesting)
I did, but had to switch back because of a security flaw. I posted to Bugzilla [mozilla.org] and the developers bumped the severity up to "Major". Here I am almost three months later still waiting for a problem the developers consider major to be fixed. It would seem that the only real progress they've made is the vocabulary used when slandering Microsoft.
-Lucas
Re:Does this mean (Score:5, Interesting)
You said "the user:pass@host" scheme is optional. This is right and wrong. This is described in Section 3.1 of RFC 1738, which describes the Common Internet Scheme Syntax, or the general form that URL can take.
The user:pass@host scheme is described as "optional" in the meaning that specific URL schemes can make use of them or not. A URL scheme can decide not to adopt/allow the 'user:pass@host' scheme at all.
Specific URL schemes for FTP, HTTP, MAILTO etc. are defined in Sections 3.2 - 3.11. These Sections describe what is allowed for each URL scheme (protocol ) and not.
Let's look at HTTP (excerpt from the RFC):
An HTTP URL takes the form:
http://<host>:<port>/<path>?<searchpart>
where and are as described in Section 3.1. If
is omitted, the port defaults to 80. No user name or password is
allowed.
Also your remark "They're just being dumb. As usual." is wrong.
Actually they finally conform to a open specification!
hex code (Score:2, Interesting)
does it turn into explorer? (Score:2, Interesting)
also mozilla renders the page as its being downloaded and IE does it after its downloaded. so when i get a webpage in mozilla i have a bunch of images and shit loading. In IE i have a whole page albiet it takes a few seconds longer but it makes it alot prettier.
Re:Fixed Indeed (Score:3, Interesting)
I can't think of a good reason for having a special character in the first place that suppresses display of everything after it unless Microsoft needs it for some special purpose behind the scenes.
Can you just accidently end up with these things? Is it because the common controls they use have this "feature" which is needed in other applications and so IE just inherited it (if so, they could just distribute and use a different control)? Or do they actually make use of it someplace else in Explorer and need to keep it in?
I assume DNS is solid enough that citibank.com%01.haxor.org would fail and not pass on requests with that character? Or could haxor.org have their own DNS implementation that would handle that character when the lookup request arrived?
- StaticLimit
Re:Fixed Indeed (Score:4, Interesting)
There are a hundred other fixes they could do that would be better than this one. It is going to break sites! Certianly in-house things use this plenty for low security, and it should be quite good security for one-off passwords that only work for a very short time.
Number 1 fix would be to preview the url in it's entirety. %00 should show as %00.
Now a lot of people have pointed out that the '@' syntax still fools a lot of people anyway (that was why a bunch of MS trolls claimed the same bug was in Mozilla, because they were stupid enough to be fooled by this). So number 2 fix, while they are looking at that code, is change it so that everything before the @ is not displayed. This also will hide the username/password for (obviously weak) security.
Removing the '@' does nothing for people fooled by "//www.microsoft.com.evil.org" thinking it goes to Microsoft and not Evil. So maybe rearrange URL's like "//com.evil.org(www.microsoft.com.evil.org)/..." or come up with a new standard for previewing them like "///org/evil/com/microsoft/www//..." so the most importante information is first. Obviously this is tough to design, but Microsoft could do this and perhaps impress people here, rather than annoy them with their incredibly lame "solutions".
. This is getting more tricky since it could be used to hide information
Re:You know (Score:4, Interesting)
Yes, it is. You should try the "fake user agent" patches that others have suggested, for example; they usually come in the cross-platform installer (.xpi) format that Mozilla and Firebird can install in two clicks.
While you might still be in the student phase of life where you've got nothing but some pizza and beer money in the account, and hence not much to transfer to another bank
Nice wisecrack, but you don't need to feign concern; I don't drink and I've got a few years pizza money saved up should it come to that.
When I do get a home mortgage, though, could you let me know which banks I ought to be avoiding? For such a serious concern it's odd how abstract this whole thread is. A brief "I banked with X, their website doesn't suppor Mozilla, and when I tried contacting their webmaster and using a user-agent faker the results were Y and Z" would be helpful.
WOOHOO Page down now works correctly!!! (Score:2, Interesting)
Anyone else see this?
Can anyone tell me... (Score:2, Interesting)
RTFA tells me that "@" in an HTTP url is now considered to have an invalid syntax. Is this the case with the mailto protocol also ?
TIA.