Microsoft: Change to IE will block some Web URLs

Free Newsletters

Log-in | Register

Microsoft: Change to IE will block some Web URLs Move comes in response to slew of online scams
By Paul Roberts, IDG News Service January 29, 2004			E-mail Printer Friendly Reprints Slashdot It!

BOSTON - Responding to a wave of online scams, Microsoft Corp. said that it is fixing a flaw in its popular Internet Explorer that makes it easy to mask the real address of a Web page displayed on the browser.

Free IT resource

Virtualization Insights from Top Experts - Learn how virtualization gets real!

Sponsored by Microsoft

Microsoft will soon release a software update for IE that will end that browser's ability to accept Web URLs (Uniform Resource Locators) that hide the address of the Web page being displayed using the "@" symbol. The update will remove a feature that is being exploited in scams that use spoof Web sites to harvest personal information from unsuspecting Internet users, Microsoft said in a note posted on its Web page Tuesday.

Microsoft has not released the software update yet, but is giving users and Web designers advance notice of the change so that they can review and update Web sites that may have URLs that use the formatting in question, the company said.

Uniform Resource Locators are addresses for files, such as Web pages, on the Internet. For example, the URL for Microsoft's Web page is http://www.microsoft.com.

At issue are Web URLs that include user login information, often entered by Web site visitors, in the form http://username:password@webaddress. For example, Internet Explorer and other browsers interpret the following URL as a request to go to www.microsoft.com and log in as customer1 using the password abc123: http://customer1:abc123@www.microsoft.com.

In so-called "phishing" scams, con artists take advantage of the liberal way Internet Explorer interprets these URLs, substituting the username:password part of the URL with the name of a legitimate Web site, then hiding the address of their Web site after the "@" symbol, said Nick Fitzgerald, an independent antivirus researcher.

A scam artist targeting Paypal customers might create a page that looks like Paypal.com, with fields asking for a Paypal customer's username and password, then link to that site using URLs that look like they point to the real Paypal.com Web site. For example: http://www.paypal.com@phishersite.com

Internet users who see the address assume, wrongly, that the browser is going to www.paypal.com, when it is really going to www.phishersite.com.

With most commercial Web sites and search engines dynamically generating HTML content, Web surfers have become accustomed to seeing long, complicated strings of characters in the Address bar of their Web browser, Fitzgerald said.

"This stuff is just completely meaningless to human beings. People have slowly come to expect that this is gibberish that computers talk," he said.

Making matters worse, a recently-discovered flaw in the way that IE parses URLs allows scam artists to completely replace Web URLs that use the username:password@ formatting with a URL of their choosing, regardless of which Web page is actually displayed in IE. Microsoft was criticized in recent weeks for not moving to patch that vulnerability when it released its other January security updates.

Microsoft, like many other browser makers, based its support of the username:password@ syntax on Internet standards documents, such as Internet Engineering Task Force (IETF) documents RFC (Request For Comments)1738, which specifies how URLs on the Internet should be formatted, and RFC 2616 that specifies how HTTP URLs should be formatted, Fitzgerald said.

The change announced on Tuesday will violate some of those specifications, but benefit consumers, according to Russ Cooper, TruSecure Corp. Surgeon General and moderator of the NTBugtraq security discussion group.

"No doubt some who will cry foul...or sob because needed functionality is now gone or Web sites have to be recoded," Cooper wrote in a message posted to NTBugtraq Wednesday. "To them I say a big 'Too bad!'. The average user, the victim of phishing scams, isn't going to miss the functionality but will happily miss the scams."

That said, Microsoft should try to find a way to safely handle URLs with passwords in them, Cooper said.

E-mail

Printer Friendly

Reprints

Slashdot It!

TOP NEWS:

» Four quick tips for choosing an IM security product
71 percent of businesses will invest in real-time messaging this year. If you're one of them, be sure to protect your enterprise

» Forrester analysts ID hot IT jobs
Research group finds 16 IT roles with a promising future

» Nvidia claims 10 hours of HD video on Tegra chip
The Tegra 600 and 650 can be used with hard disk drives and are designed partly for mobile Internet devices

» Database vendors add Google's MapReduce
Greenplum and Aster Data Systems will support Google's programming technique, developed for parallel processing of large data sets across commodity hardware

» Network management: Tips for managing costs
New technologies, changing requirements, and ongoing equipment maintenance and upgrades cost money, but there are ways to manage expenses

» EMC targets SMBs, branch offices with new low-end storage
Celerra NX4 highlights include thin provisioning, snapshot technology for data recovery and backups, and Web-based console for management of storage volumes

FIVE WAYS TO REDUCE IT COSTS IN 2009
The demands on IT have never been greater, particularly in light of lower revenue and uncertain demand for the goods and services. There are many ways that IT can help organizations adjust to this new economic environment. Learn about five key technology trends that can immediately impact your organization's bottom line, and how to build a strategy to implement these technologies within your current budget. Sponsored by: Riverbed

» Click here to view this Webcast

Enterprise Data Security Solutions Guide
Data security used to be about outside threats. These days the biggest challenge for data-driven organizations is the management of secure information from the inside out. Data is available on laptops, your network and even USB devices, but not always secure. Read this Solutions Guide to learn the best ways to keep it safe. Sponsored by ISC2

» Click here to download now

- Special Advertising Partners -

WHITE PAPERS

iSCSI: The Rising Enterprise Star - The value proposition of iSCSI storage has always been its simplicity and low cost compared to Fibre Channel. No training...
Data Grids and Service-Oriented Architecture - When choosing an SOA strategy, corporations must rely on solutions that ensure data availability, reliability, performance...
Symantec Endpoint Protection White Paper - IT everywhere faces a threat landscape of attacks that exploit vulnerabilities in endpoint devices. Symantec Endpoint Protection...
Configuration Assessment: Choosing the Right Solution - Configuration assessment lets businesses proactively secure their IT infrastructure and achieve compliance with important...
Symantec Endpoint Protection White Paper - IT everywhere faces a threat landscape of attacks that exploit vulnerabilities in endpoint devices. Symantec Endpoint Protection...
Effective Security with a Continuous Approach to ISO 27001 Compliance - The ISO 27001 standard is primarily referred to as the Information Security Management System (ISMS) certification standard...

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert

Find out when the latest white paper is available:

INFOWORLD MARKETPLACE

Deliver REMOTE SUPPORT Easily. Try WebEx FREE! - DOWNLOAD WEBEX SUPPORT CENTER FREE! Deliver efficient, effective support. CRUSH SUPPORT LOG JAMS!
Migrating to an IP-VPN? XO Can Make It Happen - Learn the five critical success factors with a free whitepaper from XO Enterprise Solutions.
Sign up to TRY WEBEX SUPPORT CENTER FOR FREE! - Get your FULL FEATURED trial here. Share documents and applications, address support challenges.
IP Networks Boost Secure Health Communications - AT&T provides secure communication to keep health care moving forward.
Why a CMDB? - IT best practices (ITIL) have shown the benefits of a CMDB. Click for whitepapers.

» BUY A LINK NOW

FIND PRODUCTS AND COMPANIES

» COMPLETE PRODUCT GUIDE

TECHNOLOGY INDEX

• Applications
• Application Development
• Security
• Networking
• Wireless
• Platforms
• Hardware
• Data Management
• Storage
• Web Services
• Business
• Telecom
• Professional Services
• Standards

TECH WATCH

What's the 411 on GOOG-411?
Just as Google has become synonymous with "performing a Web search," 411 is understood to mean "information" -- as in "what's the 411?" I was thus surprised to discover, from a billboard, no less, that the king of search is taking on the ...

Apple HTML source reveals 'iPhone Extreme'
"This one's a stretch..." reports AppleInsider. Um, yeah. Reporting on HTML code sightings of product names could be called a stretch, but iPhone Extreme has a ring to it. Now, that sounds like the product Apple should have released first, rather ...

COLUMNISTS

Unified under law

(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...

» MORE COLUMNISTS

MORE INFOWORLD BLOGS

Open Sources

Product Management
When I joined MySQL four years ago, there was quite a lot of debate about product management. We didn't actually have ...

Zero Day

Botnet herders tending smaller flocks
New research backs up the theory that botnet operators are keeping their networks smaller in a continued effort to keep ...

• Advice Line
• Database Underground
• The Deep End
• Enterprise Mac
• Geeks in Paradise
• Grid Meter
• The Gripe Line
• InfoWorld Daily
• Inside IT
• IT Troubleshooter
• ITXtreme
• Open Sources
• ProdBlog
• Real World SOA
• Reality Check
• Security Adviser
• SMB IT
• The Storage Network
• Tech Watch
• Virtualization Report
• Zero Day

RESOURCE CENTER	advertisement
Ads by techwords beta See your link here

GOVERNMENT IT & POLICY
•	'If you don't go after the network, you're never going to stop these guys. Never.'
•	From the State Department, All the News for Inquiring Minds
•	TechPresident, the Internet Citizenry's New Consensus Taker

Sponsored Technology Links
- See how Rackspace can optimize your IT dollars. Use Ensemble - quickly create composite applications. - Nokia - Interaction between Nokia Intrusion Prevention and Nokia Firewall Nokia - The Case for a Specialized Security Platform HP - HP Architect Planning Tools for MS Office Communications Server 2007 HP - Best Practices for Deploying Microsoft Office SharePoint Server 2007 HP - HP ProLiant BL480c Server Blade Microsoft Exchange Server 2007 HP - HP Smart Array P800 Controller and HP MSA60 2,500 Oracle - Top 3 Ways to Cut Costs in 2009 with Oracle Content Management		Infoblox - The Costs and Impacts of DNS and IP Address Management HP - HP StorageWorks products-control, consolidation and confidence. HP - Predict the future with HP Insight Power Manager HP - Affordable technology-no compromise. HP server solutions. Oracle - Oracle Universal Content Management Oracle - Information Workplace Platforms: Oracle vs. Microsoft Oracle - Performance Monitor: ERP at the Speed of Light Microsoft - Learn about the software-based VoIP solution from Microsoft. Oracle - Nucleus Report: Who's ready for SMB?

	HOME NEWS BLOGS PODCASTS VIDEOS TECHNOLOGIES TEST CENTER EVENTS	About \| Advertise \| Awards \| RSS \| Contact Us
Copyright © 2009, Reprints, Permissions, Licensing, IDG Network, Privacy Policy, Terms of Service. All Rights reserved. InfoWorld is a leading publisher of technology information and product reviews on topics including viruses, phishing, worms, firewalls, security, servers, storage, networking, wireless, databases, and web services. CIO :: ComputerWorld :: CSO :: Demo :: GamePro :: Games.net :: IDG Connect :: IDG World Expo Industry Standard :: IT World :: JavaWorld :: LinuxWorld :: MacUser :: Macworld :: Network World :: PC World :: Playlist TecChannel :: TecCommunity