IE update clears up spoofing issue

Article

IE update clears up spoofing issue

Shawna McAlearney, News Editor

Microsoft garnered kudos from security experts this week when it announced it would release a software update that modifies a long-protested default behavior of Internet Explorer (IE) 3.0 and later versions.

IE's handling of user information in HTTP and HTTPS URLs allows Windows Explorer and IE to open HTTP and HTTPS sites by using a URL that includes user names and passwords. According to Microsoft, a malicious user could also use this URL syntax to create a hyperlink that appears to open a legitimate Web site but which actually opens a

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

spoofed one.

The example provided by Microsoft (www.wingtiptoys.com@example.com) appears to open www.wingtiptoys.com, but it actually opens http://example.com.

Additionally, malicious users can use this URL syntax in conjunction with other methods to create a link to a spoofed Web site that displays the URL to a legitimate Web site in the status bar, address bar and title bar in all versions of Internet Explorer, Microsoft said.

"The announcement by Microsoft that it intends [to] remove the capability for Internet Explorer to accept passwords within HTTP or HTTPS URLs takes my assessment of their 'trustworthy computing' initiative from a possible 'D' to a 'C+,'" Russ Cooper, surgeon general at TruSecure Corp. and editor of NTBugtraq, told his list. "It would've gone to a 'B' if [Microsoft] had done this for all protocol types. And if it completely removed any form of encoding in all forms in URLs, I would've given [Microsoft] an 'A.'

"This action is a clear demonstration of the ['trustworthy computing' initiative] promise: security over functionality. The average user, the victim of phishing scams, isn't going to miss the functionality but will happily miss the scams."

Microsoft's January patch release did not include a fix for the problem, and SearchSecurity.com readers responding to an online poll were none too pleased.

Of the 113 who voted, 94 said Microsoft should have addressed the vulnerability with a patch.

FOR MORE INFORMATION:

Click here for Microsoft's Knowledge Base article on IE's handling of HTTP and HTTPS URLs.

FEEDBACK: What does this do for your perception of Microsoft's 'trustworthy computing' initiative?
Send your feedback to the SearchSecurity.com news team.