Microsoft Security Patch Fixes URL Security Flaw 545
loteck writes "Microsoft has just released Security Update 832894. According to their official information, it affects all NT kernel versions of Windows and most versions of Internet Explorer. Here's a rundown of the important fixes, notably 'A vulnerability that involves the incorrect parsing of URLs that contain special characters' in Internet Explorer, as previously discussed on Slashdot."
Does this mean (Score:5, Funny)
Oh wait- I use Mozilla. I didn't need to do that anyway.
Re:Does this mean (Score:5, Informative)
Seriously, though - I think one of the bigger changes in this release is that IE no longer support username/password in the URL (http://me:you@whatever.com). No more easy pr0n surfing.
Re:Does this mean (Score:5, Informative)
ftpaddress
login
hostport
Re:Does this mean (Score:4, Interesting)
Not sure what you were looking for specifically, but the user:pass@host scheme is defined in RFC 1738 [rfc.net].
And, no, they're not breaking the spec. It's optional:
Some or all of the parts ":@", ":", ":", and "/" may be excluded.
They're just being dumb. As usual.
Re:Does this mean (Score:5, Informative)
RFC 1738 - Page 8
3.3. HTTP
The HTTP URL scheme is used to designate Internet resources accessible using HTTP (HyperText Transfer Protocol).
The HTTP protocol is specified elsewhere. This specification only describes the syntax of HTTP URLs. An HTTP URL takes the form:
http://(host>):(port)/(path)?(searchpart)
where and are as described in Section 3.1. If : is omitted, the port defaults to 80. No user name or password is allowed.
Re:Does this mean (Score:5, Interesting)
You said "the user:pass@host" scheme is optional. This is right and wrong. This is described in Section 3.1 of RFC 1738, which describes the Common Internet Scheme Syntax, or the general form that URL can take.
The user:pass@host scheme is described as "optional" in the meaning that specific URL schemes can make use of them or not. A URL scheme can decide not to adopt/allow the 'user:pass@host' scheme at all.
Specific URL schemes for FTP, HTTP, MAILTO etc. are defined in Sections 3.2 - 3.11. These Sections describe what is allowed for each URL scheme (protocol ) and not.
Let's look at HTTP (excerpt from the RFC):
An HTTP URL takes the form:
http://<host>:<port>/<path>?<searchpart>
where and are as described in Section 3.1. If
is omitted, the port defaults to 80. No user name or password is
allowed.
Also your remark "They're just being dumb. As usual." is wrong.
Actually they finally conform to a open specification!
Re:Does this mean (Score:3, Informative)
2. You say that RFC 2396 supercedes RFC 1738, but you fail to mention whether this RFC is considered mandatory or not.
3. Even though RFC 2396 supercedes RFC 1738, it still doesn't allow the user:pass@host scheme for http://-URLs. Excerpt from RFC 2396:
Re:It was updated (Score:5, Informative)
The security problem was spotted back in 1993 or 1994.
The problem was that the URI group was way out in hyperspace by then and not doing what people needed. There was an inordinate amount of effort went in to gopher URLs, the gopher losers wanted to have / be a normal character because it could appear in a Mac filename. The point about escape characters was lost.
Most browsers killed gopher because the protocol was so insecure, you could use a gopher URL to send any string you wanted to any port you wanted, ditto for finger.
The URIs that got used in practice were mostly the ones defined in Netscape. They did not give a wetslap for standards from the IETF or W3C, as far as they were concerned they defined the standard. They did not care much about security either, well not until it started to go embarrasingly wrong.
Re:Does this mean (Score:5, Insightful)
Is this really the best Microsoft can do ?
Whenever a URL with an "xxx[:yyy]@" prefix is clicked or entered, why couldn't they pop up a login dialog box, specifying the name of the site (WITHOUT the xxx[:yyy]@ prefix), filling in the user name and password (i.e. the "xxx" and "yyy" in the appropriate fields), and asking for confirmation of the site to be visited ?
Or at least allow a configurable option such as "Disallow username/password in URLs / Prompt with Dialog Box / Allow" (with the default set to Disallow). That way, advanced users would still be able to use the username:password@ syntax if they enable the option. It's actually pretty useful as a quick way to transfer files by FTP, so I hope it's still supported over FTP.
Re:Does this mean (Score:5, Informative)
security coverage? (Score:5, Funny)
Re:Does this mean (Score:5, Insightful)
The basic problem is that IE displays the URL "http://www.good.com/foo%00@www.evil.com/bar" as "http://www.good.com/foo" and thus completely hides the fact that it actually goes to "www.evil.com", even for an expert user. This is the bug in IE that needs to be fixed.
Even if fixed, the above URL would certainly fool a lot of people that it goes to "good.com". All browsers today seem vulnerable to this. So some solution is necessary.
My recommended solution is to preview starting with the '@' sign so the user sees "@www.evil.com/bar". This also has the nice effect of hiding the username & password for (obviously extremely weak) security.
I do think Microsoft's solution is about the stupidest thing they can do after the "do nothing" solution. I find it hard to believe they cannot fix their status bar preview, this would indicate the innards are such a horrible mess of spagetti that they cannot make even simple changes and they had to attack the only single point of entry which is where the http get command is processed.
Of course the '@' is not a standard, but neither is ActiveX and Microsoft does not seem to be removing that. Saying that it is ok because it is not an official standard is stupid. It will break plenty of sites.
Re:Does this mean (Score:2)
Of course, Moz/Fb/Opera will continue to operate as usual
As an aside, there are many other fixes in this update that may be "hidden" under this obvious one... time to RTFA again at subsonic speed.
the needed patch (Score:4, Funny)
Re:the needed patch (Score:5, Insightful)
Yes, Mozilla is better than IE in alot of cases... but don't forget, the average user still uses the internet for email, online banking, and news sites.
And guess where you are more than likely to run into an "I.E. reccomended" site? Online banking.
Yes, "developers should...", but Developers should do a lot of stuff that they never will. Reality is, Mozilla is a far way from replacing I.E.
Re:the needed patch (Score:5, Funny)
So do I.
And guess where you are more than likely to run into an "I.E. reccomended" site? Online banking.
Not at my little bank [bankofamerica.com].
Reality is, Mozilla is a far way from replacing I.E.
Well, if your bank sucks, I suppose so. I'd be curious about which bank it is, though; the only place I still see "You should have Internet Explorer!" pages is zone.msn.com.
You know (Score:5, Insightful)
1) Refininance at a new bank. This can cost you money, and, if intrest rates go up, give you a wrose rate.
2) Move your checking/savings, and leave your mortgage, which means you need to do bussiness with two banks.
Idealism with browers is all well and good but there are real world concerns with simply telling a bank to stick it in many cases.
Some banks just suffer from a case of being stupid with browsers. One of my coworkers had a bank like that. They actually supported netscape too, but thing was they did NOT support Mozilla. I've a feeling it would actually have worked fine, but their little script checked the browser ID and refused to let him try and log in.
Re:You know (Score:4, Interesting)
Yes, it is. You should try the "fake user agent" patches that others have suggested, for example; they usually come in the cross-platform installer (.xpi) format that Mozilla and Firebird can install in two clicks.
While you might still be in the student phase of life where you've got nothing but some pizza and beer money in the account, and hence not much to transfer to another bank
Nice wisecrack, but you don't need to feign concern; I don't drink and I've got a few years pizza money saved up should it come to that.
When I do get a home mortgage, though, could you let me know which banks I ought to be avoiding? For such a serious concern it's odd how abstract this whole thread is. A brief "I banked with X, their website doesn't suppor Mozilla, and when I tried contacting their webmaster and using a user-agent faker the results were Y and Z" would be helpful.
Re:the needed patch (Score:5, Informative)
Perhaps so, but I use the web for business and recreation on average 6 hours a day, and have never in the last three years had to resort to IE.
Except, that is, for ensuring that web pages I write render correctly on the lowest common denominator.
Re:the needed patch (Score:5, Insightful)
Re:Prove? (Score:3, Informative)
It is the only browser wherein I can remember such a hole, and I (try) to keep up with the security mailing lists...
Feel free to search bugtraq if you like.
Now then, I think that there were a few problems in some versions of Netscape/Mozilla, but I don't remember them being nearly as serious as the IE holes.
Bank of America highly recommended (Score:3, Informative)
I've been using Bofa online banking [bofa.com] for over a year now with Firebird with NO problems except one small CSS issue that appears when setting up a payee in Bill-Pay.
Instead of complaining about banks that recommend IE, move to BofA and tell your existing bank why you are moving!
"Blah blah, status quo, what can you do?"... as soon as it hurts their pockets, they'll add Mozilla support.
Don't just move for the tech though - the BofA system is very well thought out and feature rich and sells itself pretty we
Re:the needed patch (Score:5, Interesting)
I just canceled a credit card with MBNA because they added a browser sniffer that kept telling me I had "an older version of Netscape" and I needed to upgrade. Wouldn't let me into the site on FB 0.7 on Linux, so I sent them a nice little "fuck you too" cancel request explaining that their site is broken and that's why I'm canceling.
And yes, the site worked just fine in FB 0.7 once I sent an IE 6.0 UA.
I make it a point to relentlessly hound businesses that pull that little stunt. I also post their links on Open Source boards so everyone can get a shot at them. And don't tell me it's childish or rude or anything else - if they hadn't intentionally broken the site in the first place I wouldn't be obligated to tell everyone that the site is crippled. If they can't even hire half-competent web designers (or, more likely, if their management weren't typically incompetent and it actually listened to the web designers) why should I assume that they're capable of handling something as complex as my banking? They're cutting corners there, where else might they be?
Re:the needed patch (Score:3, Funny)
u r the kind of peeps i wud take advice from.
Re:the needed patch (Score:2)
But seriously, I've actually taken advantage of the IE/Windows integration, the fact that your FAvorites are acutally files in folders, the way I can embed HTML in my OS taskbar to provide useful functions, and I can REMOVE and COMBINE (not just collapse to fewer pixels) the toolbars to make the best use of my high resolution screen.
Despite the security problems whic
Re:the needed patch (Score:5, Interesting)
Re:the needed patch (Score:5, Interesting)
Re:the needed patch (Score:3, Interesting)
Slashdot is the best use of tabs I've found to date. I LOVE being able to open a new tab with the "Reply to This" links. Another awesome use is when spillover occurs and I can't see all the comments I want to. I can just hit the "x comments below..." links to open them in new tabs, then close the tabs down as I read up through the "hidden" posts in a long thread. Since the tabs open chronologically (unlike windows which just sort of scatter), this works REALLY well.
Re:the needed patch (Score:4, Interesting)
Challenge met, sir, let me get my hammer...
*whomp* *whomp* *WHOMP*
And while I appreciate that you enjoy the features you list above (fav's in folders, taskbar access, toolbar mobility) they're not for everyone. Me, for example - I tend to struggle with Microsoft's 'You Must Double-Click A Lot To Get Your File Structure Sorted' hierarchy, and all those damn toolbars just eat space on my not-so-high resolution screen. To each their own, I suppose.
Anyways, if you haven't already, try Firebird - you lose some of the things you like, but the UI is about as intuitive as any I've used, especially in Linux. Cut-n-pasting URLs into new tabs with four mouse clicks and a whammy on the NumPad key just looks cool.
Re:the needed patch (Score:3, Informative)
So set Explorer to single-click folders, and remove toolbars or size their graphics to Small.
At least better than the KB article :) (Score:2, Funny)
S
Re:At least better than the KB article :) (Score:2, Funny)
Re:At least better than the KB article :) (Score:3, Offtopic)
Nice try, but you've disproved your own point by simply responding.
Re:At least better than the KB article :) (Score:5, Insightful)
Exactly what they said they were going to do... (Score:3, Informative)
http://support.microsoft.com/default.aspx?scid=
Note that this KB article was changed today to reflect that it is indeed in this patch, however, this article has been up since Early January or so...
Not that I think it's the right way to do things, but they did provide some warning that it was coming.
Patches being sent by email (Score:3, Funny)
Re:Patches being sent by email (Score:3, Funny)
It also says "Thank you for using Microsoft products," something that I have never heard M$ say, ever, and also despite the fact that I don't regularly use "Microsoft products."
HA HA NICE TRY (Score:5, Funny)
Wow Security update # 832894 (Score:5, Funny)
Re:Wow Security update # 832894 (Score:2)
(Takes a sip out of my Earl Grey)
Re:Wow Security update # 832894 (Score:5, Interesting)
I'm supprised we even post this stuff... (Score:5, Insightful)
Re:I'm supprised we even post this stuff... (Score:5, Insightful)
Kierthos
Re:I'm supprised we even post this stuff... (Score:2, Informative)
Re:I'm supprised we even post this stuff... (Score:3, Interesting)
I did, but had to switch back because of a security flaw. I posted to Bugzilla [mozilla.org] and the developers bumped the severity up to "Major". Here I am almost three months later still waiting for a problem the developers consider major to be fixed. It would seem that the only real progress they've made is the vocabulary used when slandering Microsoft.
-Lucas
It's not the 2nd Tuesday... (Score:2, Informative)
Oh and for all of you who don't use Windows SUS - why not? I'm going to patch 350 machines with 5 clicks later this week. Stop your bitchin and get better tools.
Re:It's not the 2nd Tuesday... (Score:2, Informative)
Re:It's not the 2nd Tuesday... (Score:2)
I [apple.com] totally [debian.org] agree! [openoffice.org]
Why is URL parsing code in the kernel? (Score:5, Interesting)
Why the hell does this require a kernel patch?
Re:Why is URL parsing code in the kernel? (Score:5, Interesting)
Re:Why is URL parsing code in the kernel? (Score:2)
Why the hell does this shell require a kernel patch?
Re:Why is URL parsing code in the kernel? (Score:2)
Remember, MS's OS is not like Kernel + layer + layer... its more of a giant monstrosity of "modules" which are interdependent.
Re:Why is URL parsing code in the kernel? (Score:4, Insightful)
"This issue affects Internet Explorer, a component of Windows. You should apply this update if you have Internet Explorer 5.01 or later."
So mod me down, you know it's the truth.
Deprecating username/password in URLs (Score:5, Informative)
Jedidiah
Re:Deprecating username/password in URLs (Score:3, Informative)
Re:Deprecating username/password in URLs (Score:2, Interesting)
Arbitrary decisions to alter the working of the internet just like this seem very incorrect to me. Wouldn't some kind of warning suffice?
Like, - or something like that...
Re:Deprecating username/password in URLs (Score:3, Informative)
Re:Deprecating username/password in URLs (Score:5, Informative)
That method of user/password should have never been alowed in the first place. Sure its easy but come on, yah broadcasting your username and password to every node along the way is such a good idea, saves some trouble of pharseing the html. not to mention any spyware that sends back what you type into the adress bar
Switched a while ago... (Score:2, Funny)
Re:Switched a while ago... (Score:3, Interesting)
When you expose things to the outside, you have to make them work. Not so for the inside hacks. Too bad
Incorrect parsing (Score:3, Funny)
So now all those goatse URL's finally parse back to the trolls at
finally a username:password@ fix (Score:5, Interesting)
I can't believe it takes Microsoft so long to fix major flaws like this. Honestly, why does it take 60,000 programmers 60 days to fix an IE URL error?
Here are the patches: (Score:5, Funny)
Here [mozilla.org]
Here [opera.com]
Here [kde.org]
Here [apple.com]
Re:Here are the patches: (Score:5, Funny)
Be sure to type in that link manually. (Score:5, Funny)
http://microsoft.com/download/patch/win32/2004/
Ironic given an email my mom got (Score:5, Funny)
In other words, some email/CC#/whatever harvester decided to pull a funny and use the correction for this flaw as a way to exploit the flaw. Now that I see that the described patch is legitimate, I'm actually laughing internally at the delicious irony.
By the time my mom got the email, the target web site had already been taken down by the sysadmin of the host.
None of this is to condone the action of the scum who blasted the email, but come on, that took some balls.
Re:Ironic given an email my mom got (Score:5, Interesting)
Just wait.
Re:Ironic given an email my mom got (Score:3, Informative)
special characters? (Score:5, Funny)
Yeah, the special characters www.google.com now correctly parse to search.msn.com
Too Late. Installed Opera. (Score:3, Interesting)
It's also been a hotter-than-usual topic on Usenet. There really seemed to be a mass exodus from IE over the last couple of weeks, perhaps due to what people feel is blatant neglect by Microsoft.
I left IE as well last week, opting instead for Opera [opera.com], and really couldn't be happier. Screw 'em, I want my tabbed browsing!
Re:Too Late. Installed Opera. (Score:3, Interesting)
From Microsoft Security Bulletin (Score:2, Troll)
http(s)://username:password@server/resource.ext "
Re:From Microsoft Security Bulletin (Score:3, Interesting)
Since
1. They are convinced the monitor is actually the computer. I don't know what they think that big tower does, but since they have it piled high with boxes, blankets, and it holds up their space heater, they've more than likely forgotten that its there.
2. They have cable / dsl that they use to connect to aol and they have absolutely no firewalls or virus pro
Re:From Microsoft Security Bulletin (Score:5, Funny)
Oh, come on, everyone knows the big tower is the hard drive!
What standards are they breaking. (Score:5, Interesting)
If : is omitted, the port defaults to 80. No user name or password is allowed. is an HTTP selector, and is a query string. The is optional, as is the and its preceding "?". If neither nor is present, the "/" may also be omitted.
They are conforming to the RFC. Username/Password is a hack. First people complain that IE doesn't follow RFC, and when they do, you still fucking complain.
Check your fact's before spouting off crap (Score:3, Insightful)
Re:Which standard? (Score:3, Informative)
Mozilla and I'm assuming Firebird do have this functionality.
Actually, it DOESN'T fix the flaw... (Score:3, Insightful)
Such a lame markting move (Score:2, Interesting)
This incident, by the way, is why open source will continue to gain ground. There are no marketing nitwits working as gatekeepers.
This is exactly why MS products are so insecure... (Score:4, Interesting)
why not just use k-meleon? (Score:2)
http://kmeleon.sourceforge.net [sourceforge.net]
Fixed Indeed (Score:5, Interesting)
http(s)://username:password@server/resource.ext
Unfortunatly this isn't fixed as it should be, ie you're shown the entire link in the address bar and maybe even given a warning when you go to the site. Instead they fixed this by not allowing the '@' character in addresses as was suggested they might here. Hadn't they been saying previously that problem this was unfixable presumably the reason for disallowing the '@' alltogether rather than a real fix. I have two questions, first what kind of codebase do they have that they can't make a real fix?!? Sure it might be a bit of a pain but it's obviously possible since no other browser is affected (heck I even tried IE for mac yesterday and it handled it perfectly!). They obviously handle the url properly at some point since you visit the proper site, they should be able to display the url properly!
Next, what is the effect of them deprecating the '@' tag? I don't recall ever seeing this in the wild and can't really see a lot of use in microsoft.com@slashdot.org, of course the example they give is username:password but I can't see any real site displaying the password in plaintext in the url, does anyone have an example of where this is used and what the effects will be?
Re:Fixed Indeed (Score:3, Interesting)
I can't think of a good reason for having a special character in the first place that suppresses display of everything after it unless Microsoft needs it for some special purpose behind the scenes.
Can you just accidently end up with these things? Is it because the common controls they use have this "feature" which is needed in other applications and so IE just inherited
Re:Fixed Indeed (Score:4, Interesting)
There are a hundred other fixes they could do that would be better than this one. It is going to break sites! Certianly in-house things use this plenty for low security, and it should be quite good security for one-off passwords that only work for a very short time.
Number 1 fix would be to preview the url in it's entirety. %00 should show as %00.
Now a lot of people have pointed out that the '@' syntax still fools a lot of people anyway (that was why a bunch of MS trolls claimed the same bug was in Mozilla, because they were stupid enough to be fooled by this). So number 2 fix, while they are looking at that code, is change it so that everything before the @ is not displayed. This also will hide the username/password for (obviously weak) security.
Removing the '@' does nothing for people fooled by "//www.microsoft.com.evil.org" thinking it goes to Microsoft and not Evil. So maybe rearrange URL's like "//com.evil.org(www.microsoft.com.evil.org)/..." or come up with a new standard for previewing them like "///org/evil/com/microsoft/www//..." so the most importante information is first. Obviously this is tough to design, but Microsoft could do this and perhaps impress people here, rather than annoy them with their incredibly lame "solutions".
. This is getting more tricky since it could be used to hide information
I wonder how much it also breaks (Score:3, Insightful)
They're a breeding-ground of spam and everything that's out of control is their own fault due to their policies.
click here (Score:5, Funny)
RFC 1738 (Score:5, Informative)
//<user>:<password>@<host>:<port>/<url-pa th>
Although the RFC does go on to stipulate that "[s]ome or all of the parts '<user>:<password>@', ':<password>', ':<port>', and '/<url-path>' may be excluded." Oddly enough, this form is broadly defined as being the general form of URLs, but is not the form of HTTP URLs (which lack the username and password). The RFC seems to indicate that this functionality was designed with FTP in mind - anyone know if MS disabled it for all URLs, or just http ones?
Re:RFC 1738 (Score:5, Informative)
Also, this fixes the scroll bar issue... (Score:5, Informative)
Patch breaks OWA in Exchange 2003 (Score:4, Informative)
Not sure if this is the way it is with every Exchange server or if it is how my university's server is configured, but if you use OWA you might want to be careful with this patch.
Re:Patch breaks OWA in Exchange 2003 (Score:3, Informative)
Something really scary.... (Score:5, Informative)
"...For example, an attacker could run programs on your computer while you view a Web page. This affects all computers with Internet Explorer installed (even if you don't run Internet Explorer as your Web browser)..."
although there's no mention of that in the KB article.
Typo in MS "official information" (Score:3, Informative)
From the alert:
* For example, an attacker could create a link that once clicked on by a user would display http://www.tailspintoys.com in the address bar, but actually contained content from another Web Site, such as http://www.wingtiptoys.com. (Note: these web sites are provided as an example only, and both redirect to http://www.microsoft.com.)
The link "tailspintoys.com" actually goes to "tailspingtoys.com" (which is not resolved at all).
Here is the behavior of IE after patching.... (Score:5, Informative)
When going to *any* URL with an "@" in it, IE will come up with an error page titled "Invalid Syntax Error" with the content:
The page cannot be displayed
The page you are looking for might have been removed or had its name changed.
Once that error message is on the screen, any attempt to go to another URL with an "@" in the screen (by clicking on the URLBar and pressing enter, or typing in a different URL with an "@" in it) will cause IE to clear the page area to go blank and the throbber will continue spinning indefinately.
This makes it appear that there is some sort of network connectivity problem, or that IE is somehow hung up. Typing in a normal URL will show that everything is fine.
Also, this update doesn't fix the bug where IE displays an incorrect value in the status bar, such as this one: this one [secunia.com].
(Though clicking the link on that page will fail with the above described error page)
Its Good Thing (Score:4, Insightful)
I think this fix is a great thing. Now when my friends say "The porn sites won't work anymore" I can say "Here Try this [mozilla.org]"
Finally Microsoft gives me a perfect answer to "But why should I switch?" questions.
Re:NOW MAYBE U FUCKING ANTI-MS HOMOSEXUALS WILL ST (Score:2, Funny)
Re:Whew.. (Score:2)
Re:Whew.. (Score:2)
But you're right, people don't stay nearly up to date on patches - for pretty much anything they use.
Reminds me of the time my friend couldn't get his Counter-Strike to work, and wanted me to help him. Within like two minutes, I realized he hadn't updated his video drivers.
Oy.
Re:3mb ??? (Score:2, Funny)
10K bug fix
2.799M new bugs
(I typed this already, but after downloading the patch my computer froze up and I'm having to retype it.)
I can't take credit for this, as I saw it on slashdot once: "64,000 bugs in the code, 64,000 bugs, whack one back with a service pack, 64,008 bugs in the code."
Re:3mb ??? (Score:2)
Of course it does, it now gives Redmond full access to your hard drive. And they snitch to RIAA for bucks per bust.