The Web    Google
Microsoft to Strike IE URL Passwords

Microsoft to Strike IE URL Passwords
January 29, 2004
Ryan NaraineBy

Microsoft has announced plans to remove Internet Explorer browser support for user names and passwords as a means of protecting users from several known IE security holes.

The software giant did not say when the long-delayed IE patch would be released but, in a knowledge base article, Microsoft confirmed plans to modify the way IE handles user credentials.

The most likely scenario is for Microsoft to issue the patch in its next monthly scheduled release (second Tuesday in February) but the company has made it clear it would go out-of-cycle in emergency cases.

Microsoft explained that the IE fix will strike support for handling user names and passwords in both HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs. It effectively provides a workaround for the URL-spoofing flaws that are used by scammers to mask fake sites and trick users into giving up sensitive information including credit card and social security numbers.

Details of the spoofing flaw were first reported last December along with a test exploit using the domain.

User names and passwords in IE URLs are typically used to automatically send information to a Web site that supports the most basic authentication method and has been embedded in the browser since version 3.0. However, scammers have found a way to manipulate the URL syntax to create a hyperlink that appears to open a legitimate Web site but actually opens a deceptive (spoofed) Web site.

"Additionally, malicious users can use this URL syntax together with other methods to create a link to a deceptive (spoofed) Web site that displays the URL to a legitimate Web site in the Status bar, Address bar, and Title bar of all versions of Internet Explorer," the company said.

Microsoft's confirmation of an IE patch comes just one day after independent researchers warned of a new IE security flaw that could be exploited to trick users into downloading malicious files. The bug, which carries a "moderately critical" rating from tech security consulting firm Secunia, could allow malicious Web sites to spoof the file extension of downloadable files.

The company did not say if the coming IE patch would include fixes for five different IE vulnerabilities that leaves users at risk of system takeover, exposure of sensitive information, cross-site scripting and security bypass.

Last November, Chinese security researcher Liu Die Yu released details of circulated proof-of-concept exploits on several mailing lists, warning that IE versions 5.0, 5.5 and 6.0 were susceptible to the vulnerabilities, which carry an "extremely critical" rating.

Microsoft has confirmed it was investigating Yu's claims and said a patch was under development. Stephen Toulouse, program manager at Microsoft's security response center, told the patch was not yet released because of rigid testing procedures.

"The release [of a patch] requires a balance between time and testing. We'll only release a patch when it's well-engineered and thoroughly tested . . . We are taking that very seriously and we're proceeding with our investigations," Toulouse explained.

"An incomplete patch can be worse than no patch at all. Especially if faulty patch only ends up serving to alert malicious attackers to the issue," he added, nothing that a cumulative patch for IE represented a unique challenge for patch programmers because the browser was deployed in numerous versions, languages and on multiple operating systems.

  • 9/2: Trojan Yipid Sends Chinese Email
  • 8/3: MyDoom-Q Arrives in the Wild
  • A New Breed of Phish
  • 4/29: Kelvir-D an IM Worm
  • Enforcer 3.1 Bars Unsanctioned IM, P2P Access
  • 9/3: Worm Ends Antivirus Processes
  • VeriSign Intros WS-Security Implementation, Toolkit
  • 5/2: Sober-S Worm a 'Medium Threat'
  • Feds Bag Warez Convictions
  • IM Security Under The Gun
  • Robbing the (Data) Bank
  • Buy Security Camera