Microsoft: Change to IE will block some Web URLs

BOSTON - Responding to a wave of online scams, Microsoft Corp. said that it is fixing a flaw in its popular Internet Explorer that makes it easy to mask the real address of a Web page displayed on the browser.

Microsoft will soon release a software update for IE that will end that browser's ability to accept Web URLs (Uniform Resource Locators) that hide the address of the Web page being displayed using the "@" symbol. The update will remove a feature that is being exploited in scams that use spoof Web sites to harvest personal information from unsuspecting Internet users, Microsoft said in a note posted on its Web page Tuesday.

Microsoft has not released the software update yet, but is giving users and Web designers advance notice of the change so that they can review and update Web sites that may have URLs that use the formatting in question, the company said.

Uniform Resource Locators are addresses for files, such as Web pages, on the Internet. For example, the URL for Microsoft's Web page is http://www.microsoft.com.

At issue are Web URLs that include user login information, often entered by Web site visitors, in the form http://username:password@webaddress. For example, Internet Explorer and other browsers interpret the following URL as a request to go to www.microsoft.com and log in as customer1 using the password abc123: http://customer1:abc123@www.microsoft.com.

In so-called "phishing" scams, con artists take advantage of the liberal way Internet Explorer interprets these URLs, substituting the username:password part of the URL with the name of a legitimate Web site, then hiding the address of their Web site after the "@" symbol, said Nick Fitzgerald, an independent antivirus researcher.

A scam artist targeting Paypal customers might create a page that looks like Paypal.com, with fields asking for a Paypal customer's username and password, then link to that site using URLs that look like they point to the real Paypal.com Web site. For example: http://www.paypal.com@phishersite.com

Internet users who see the address assume, wrongly, that the browser is going to www.paypal.com, when it is really going to www.phishersite.com.

With most commercial Web sites and search engines dynamically generating HTML content, Web surfers have become accustomed to seeing long, complicated strings of characters in the Address bar of their Web browser, Fitzgerald said.

"This stuff is just completely meaningless to human beings. People have slowly come to expect that this is gibberish that computers talk," he said.

Making matters worse, a recently-discovered flaw in the way that IE parses URLs allows scam artists to completely replace Web URLs that use the username:password@ formatting with a URL of their choosing, regardless of which Web page is actually displayed in IE. Microsoft was criticized in recent weeks for not moving to patch that vulnerability when it released its other January security updates.

Microsoft, like many other browser makers, based its support of the username:password@ syntax on Internet standards documents, such as Internet Engineering Task Force (IETF) documents RFC (Request For Comments)1738, which specifies how URLs on the Internet should be formatted, and RFC 2616 that specifies how HTTP URLs should be formatted, Fitzgerald said.

The change announced on Tuesday will violate some of those specifications, but benefit consumers, according to Russ Cooper, TruSecure Corp. Surgeon General and moderator of the NTBugtraq security discussion group.

"No doubt some who will cry foul...or sob because needed functionality is now gone or Web sites have to be recoded," Cooper wrote in a message posted to NTBugtraq Wednesday. "To them I say a big 'Too bad!'. The average user, the victim of phishing scams, isn't going to miss the functionality but will happily miss the scams."

That said, Microsoft should try to find a way to safely handle URLs with passwords in them, Cooper said.