A critical security patch released this week that fixes vulnerabilities in Internet Explorer has left many users unable to access certain Web sites and Internet resources.
Microsoft's latest IE update, which was released outside the monthly patching cycle, stops the company's browser from being used to transfer malicious code to a user's PC and fixes the URL spoofing flaw, but it also stops URLs from being used to access password-protected Internet resources, a feature that many companies employ.
Up until June 2003, Microsoft itself thought the system safe enough to use in Passport, a secure repository designed to hold users' personal information, including their credit card numbers.
Richard Excoffier, founder of adult entertainment Web site Toteme, told ZDNet UK that the IE update has left many of his customers complaining that they cannot access the site: "We distribute our software via shareware and the registration process uses the feature to communicate with our servers. We have a rapidly rising number of users complaining because they can't access the content and resources they have paid for," he said.
According to Excoffier, the company's system can be modified to work with IE within a few days, but in the cut-throat business of adult entertainment, losing a percentage of customers because they can't access the systems for even a short time means they will probably switch to a competitor: "The cost in human resources is not very high, we're more concerned about customers giving up because 'our system does not work' within the day or two we need to fix it," he said.
In addition, the effect of the patch appears to be inconsistent. Some users have found that even after the patch is applied, IE can still be used to access resources with a URL password, contrary to Microsoft's claims.
Microsoft was not available for comment.
Talkback
This isn't exactly news. Microsoft was advertising this bahavior change about a week before this patch was issued.
Anyone who passes the username and password in the url needs some serious classwork time anyway.
A whole week? And that wasn't enough time to not only become aware of the news but also enough time to find everything that might give problems and solve those problems along with some serious testing?
To be fair, on MSDN the warnings came much earlier but not that many keep up with what's written there.
Also, feature rich and fast to market (quick and dirty) usually wins from security considerations. After all, if it's payed for why improve it without some form of compensation, right?
Surely, Microsoft can relate to that.
It's perfectly valid to pass username and password in a URL - eg over SSL, or within an otherwise secured network.
[schema]//[user]:[password]@[host]:[port]/[url-path]
is defined in RFC 1738.
The staggering thing *should* be that a major software vendor specifically denies its installed base access to accepted standard mechanisms as a workaround for its own inadequacies. But hey, what else is new.
Insert this in the registry and all user/passwords is remembered again:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE]
"iexplore.exe"=dword:00000000
"explorer.exe"=dword:00000000
@geircito
With all the better browsers out there for the PC, why do you people stick with the piece of trash that is IE? Do you worship the beast from Redmond so much? Hello!! Opera anyone? Better yet, buy a Mac and be done with all of Microsoft's shenanigans.
With all the better browsers out there for the PC, why do you people stick with the piece of trash that is IE? Do you worship the beast from Redmond so much? Hello!! Opera anyone? Better yet, buy a Mac and be done with all of Microsoft's shenanigans.
Who will refund me for changing my identification system wich is perfectly safe?
Classwork? Maybe you should go back to school, .htaccess is used for a variety of purposes and those that develop for this type of functionality and those that currently use and pass "passwords" in the URL have been left with hours and in many cases days of wasted effort in resolving the issue. Microsoft should develop a process of contacting those that depend upon it prior to just throwing out an automatic update.
If you think this was trivial, subtract the money I spent in support and development costs on this single issue out of YOUR paycheck and you can save the time in school learning this lesson -get it?
Well, once again, we have the dumbing down of features in a product...features which are vulnerable to attack. Sure, we could all use brain-dead browsers, but then we lose support for even more features. This is all just a part of life on the net.
As to the guy who patched and was surprised at the bug, I would suggest that you hire experienced engineers who test patches first....and control their release with products such as SUS. Gee, central patch management, that's a thought!
This recent gift from Microsoft has screwed up all the update forms for software that we sell to Web hosts, who have real estate agents who want to maintain their listings on the Web. As you can imagine, we are pretty annoyed to get this kind of make-work & poorly tested stuff from a co. who we also hold a lot of stock in. So, here I am blowing off steam. What a stupid maneuver.
So what non-US foreign globalized employee in what cheap-as-dirt country screwed up again for us this time?
Is there a way, say in php to automatically authenticate and pass into an .htaccess directory without the popup dialog?
Thanks for any ideas. This patch has me scrambling.
Hello,
Does anyone here have an alternative solution to this problem. I've been serahcing through the internet but stil can't a good solution to it. Anyone, please help.
Email : limcwb@sph.com.sg
Thanks so much
I must be a "criminal" because each time I try to access Microsoft Internet ExplorerI get the following: "You have performed an illegal operation. Microsoft Internet Explorer will shut now shut down". I have searched Microsoft looking for this exact phrase since they are the demons that created it but to no avail. So here I sit rebooting and rebooting and... I know where I'd like to boot! Down with Microsoft!!!
if you dont like windows, install linux, prat.