Microsoft garnered kudos from security experts this week when it announced it would release a software update that...
modifies a long-protested default behavior of Internet Explorer (IE) 3.0 and later versions.
IE's handling of user information in HTTP and HTTPS URLs allows Windows Explorer and IE to open HTTP and HTTPS sites by using a URL that includes user names and passwords. According to Microsoft, a malicious user could also use this URL syntax to create a hyperlink that appears to open a legitimate Web site but which actually opens a spoofed one.
The example provided by Microsoft (email@example.com) appears to open www.wingtiptoys.com, but it actually opens http://example.com.
Additionally, malicious users can use this URL syntax in conjunction with other methods to create a link to a spoofed Web site that displays the URL to a legitimate Web site in the status bar, address bar and title bar in all versions of Internet Explorer, Microsoft said.
"The announcement by Microsoft that it intends [to] remove the capability for Internet Explorer to accept passwords within HTTP or HTTPS URLs takes my assessment of their 'trustworthy computing' initiative from a possible 'D' to a 'C+,'" Russ Cooper, surgeon general at TruSecure Corp. and editor of NTBugtraq, told his list. "It would've gone to a 'B' if [Microsoft] had done this for all protocol types. And if it completely removed any form of encoding in all forms in URLs, I would've given [Microsoft] an 'A.'
"This action is a clear demonstration of the ['trustworthy computing' initiative] promise: security over functionality. The average user, the victim of phishing scams, isn't going to miss the functionality but will happily miss the scams."
Microsoft's January patch release did not include a fix for the problem, and SearchSecurity.com readers responding to an online poll were none too pleased.
Of the 113 who voted, 94 said Microsoft should have addressed the vulnerability with a patch.
FOR MORE INFORMATION:
FEEDBACK: What does this do for your perception of Microsoft's 'trustworthy computing' initiative?
Send your feedback to the SearchSecurity.com news team.