The announcement follows several IE-related security warnings issued by Danish security company Secunia. In December, Secunia alerted the security community to an IE bug that would let hackers display false Web addresses. And on Wednesday, the company posted details of an alleged flaw that could let Web surfers be tricked into downloading malicious files from counterfeit sites reached via such fake addresses.
The newly announced patch will disable a feature that lets people code a username and password directly into a link so that someone clicking the link can easily access the restricted page to which it points. Links coded in this way are not commonly used on the Internet, but some Web developers have built the functionality into certain HTTP sites hosted on corporate intranets to give specific users convenient access to information.
The problem with the feature is that the username/password piece of the URL code is not used to locate the Web page. Attackers can therefore disguise that portion of the URL and trick surfers into thinking that they're going somewhere they're not.
"This is really bad, because even if you tried to figure out which site you were going to, you couldn't," said Russ Cooper, editor of NTBugtraq, a security newsletter published by TruSecure, a security consultancy.
This is how it works: the actual URL syntax in the link -- which appears in the IE address bar, when the link is clicked, and also at the bottom of the IE window, when someone rolls over the link with the cursor -- looks like this: http(s)://username:password@server/resource.ext.
The browser uses whatever is to the right of the @ symbol to locate the Web page. Everything to the left of the @ is used to authenticate the user. If there is no authentication mechanism available on the targeted page, the beginning part of the URL is ignored.
Attackers, then, can use the area to the left of the @ symbol to create a fake Web address and fool victims into going to a different page or site. For instance, the URL http://www.cnet.com@mysimon.com looks like it will go to the Web site http://www.cnet.com, but it actually goes to http://mysimon.com.
The problem has been exacerbated by a recently discovered bug in the URL display of Internet Explorer browsers. By adding a few special characters in front of the @, an attacker can prevent the browser from displaying the true destination address of the URL. So, for instance, in the above example, the URL in the IE address bar and at the bottom of the IE window would appear as simply http://www.cnet.com.
After users install the new patch, IE will no longer recognise links coded with usernames and passwords and will send surfers to a Web page that displays an "Invalid syntax error" message. Microsoft hasn't said when the patch will be available, but the company has released a support document to help explain how coders of links can work around the new change.
Over the years, Microsoft has been sharply criticised for security issues in some of its products. But the company is working to improve its image. In 2002, it launched a program called "Trustworthy Computing," designed to focus its software developers on building better security into products. The software maker halted production to review code, delayed shipments and retooled its development process as a result.
The road toward making its software more secure has been a long one.
"I think they've made some improvements," said Stephen O'Grady, senior analyst at RedMonk. "But I think they've got a long way to go. It won't happen overnight."
Most experts agree that this latest patch is a step in the right direction, but Cooper believes that Microsoft could be doing more to improve security.
"This is a perfect fix for this specific problem," Cooper said. "But I think they could have gone further, by eliminating the feature in all protocols, like FTP (File Transfer Protocol). Still, it's good to see Microsoft actually removing something rather than just trying to fix it. It's a big step for them."
Microsoft maintains that it is very serious about making its software more secure, but, a company representative said, it must consider how fixes will affect its entire user base.
"We are aware that there is a growing concern among customers over URL spoofing," the representative said. "And we want to address those issues in a way that mitigates the hazard, but we also don't want to harm the user experience. It's a delicate balance."
The discontinued username-password feature is different from how many users access content on the open Internet. Most public Web sites that use authentication will explicitly ask users to type in their usernames and passwords when they try to access secure content. Users can choose to allow Microsoft Windows to remember the username and password combination for future use. The new patch will not affect this feature.
Talkback
Our entire system with over 10000 webmasters and 4 millions users is based on that feature. Customer complains are rising and we have to redesign the whole thing witout notice. Thanks Microsoft.
Microsoft's solution is filled with more holes than solid answers, sure there was a security problem that may have been exploited but they did not have to provide this plug as one of their automated updates.
Certainly, who ever is at the wheel must be spending too much time alone, if they had at least looked outside their own Window I doubt they would have taken such a blinded approach.
I'm sure there sending out checks to companies like mine to cover the fortune I've spent on development and deployment, what's next!
I understand why MS did this, however, as a developer with hundreds of sites using the old method of carrying the username/password in the url, I am now scrambling to find a replacement method....
Any ideas on how to implement a replecement for this?