News Stay informed about the latest enterprise technology news and product updates.

IE update clears up spoofing issue

Microsoft's announcement that it will patch a spoofing vulnerability in Internet Explorer is being lauded as a move that favors security over functionality.

Microsoft garnered kudos from security experts this week when it announced it would release a software update that modifies a long-protested default behavior of Internet Explorer (IE) 3.0 and later versions.

IE's handling of user information in HTTP and HTTPS URLs allows Windows Explorer and IE to open HTTP and HTTPS sites by using a URL that includes user names and passwords. According to Microsoft, a malicious user could also use this URL syntax to create a hyperlink that appears to open a legitimate Web site but which actually opens a spoofed one.

The example provided by Microsoft ( appears to open, but it actually opens

Additionally, malicious users can use this URL syntax in conjunction with other methods to create a link to a spoofed Web site that displays the URL to a legitimate Web site in the status bar, address bar and title bar in all versions of Internet Explorer, Microsoft said.

"The announcement by Microsoft that it intends [to] remove the capability for Internet Explorer to accept passwords within HTTP or HTTPS URLs takes my assessment of their 'trustworthy computing' initiative from a possible 'D' to a 'C+,'" Russ Cooper, surgeon general at TruSecure Corp. and editor of NTBugtraq, told his list. "It would've gone to a 'B' if [Microsoft] had done this for all protocol types. And if it completely removed any form of encoding in all forms in URLs, I would've given [Microsoft] an 'A.'

"This action is a clear demonstration of the ['trustworthy computing' initiative] promise: security over functionality. The average user, the victim of phishing scams, isn't going to miss the functionality but will happily miss the scams."

Microsoft's January patch release did not include a fix for the problem, and readers responding to an online poll were none too pleased.

Of the 113 who voted, 94 said Microsoft should have addressed the vulnerability with a patch.


Click here for Microsoft's Knowledge Base article on IE's handling of HTTP and HTTPS URLs.

FEEDBACK: What does this do for your perception of Microsoft's 'trustworthy computing' initiative?
Send your feedback to the news team.

Dig Deeper on Microsoft Windows security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.