Subscribe to Windows IT Pro

 

Get Newsletters

  • Get the Latest News
  • Product Updates
  • Helpful Tricks
  • Productivity Tips

Subscribe Now!

January 28, 2004 12:00 AM

Microsoft To Change Internet Explorer Behavior

M Edwards
Windows IT Pro
InstantDoc ID #41589
Rating: (0)

Microsoft announced plans to change the way Internet Explorer (IE) handles certain URLs which in the past have been used to dupe users into visiting a site they didn't intend to visit.

Many browsers, including IE, have supported a URL format that includes the @ symbol. Typically such a symbol is used to transmit a username and password pair to a server that requires a login. For exmaple, http://username.password@www.legitimatesite.ext. However someone could also use the same technique to send a user to a site they didn't intend to visit by crafting a URL such as http://www.microsoft.com@www.exampledomain.ext. The user might think by clicking the URL they would go to www.microsoft.com, however the URL would actually take the user to www.exampledomain.ext.

The ploy has been used numerous times by intruders to spoof legitimate sights and dupe users into divulging sensitive information. Numerous bank customers at various banks have been duped with such a URL into visiting a site that looks like the bank's real Web site when in reality the site was actually a copy operated by intruders to collect bank customer information.

In article 834489 Microsoft explains that they will soon release a software update for IE 6.0 and 5.x running on the Windows Server 2003, XP, 2000, NT, and 98 platforms. With the update loaded, the spoofing technique will no longer work when used in conjunction with the HTTP and HTTPS protocols. At the same time, access to legitimate sites that use the @ symbol in URLs to gather login (username.password@www.legitimatesite.ext) information will no longer be accessible in that fashion via IE. The URL encoding method will however still work in IE for the FTP protocol. Microsoft said that registry keys can be used to disable the new HTTP and HTTPS URL encoding limitations that will be imposed by the update.

Microsoft recommends several workarounds for site developers who might be affected by the new IE behavior. Sites using such HTTP and HTTPS encoding methods recode their sites to use cookies instead, or recode their applications to use other programming interfaces that gather user authentication using other functions. For details on Microsoft's upcoming changes to IE and it's suggested workarounds be sure to read the article.

Related Content:

ARTICLE TOOLS


Want to use this article? Click here for options!

Comments
Add A Comment
  • Matthew
    8 years ago
    Feb 08, 2004

    This sounds like a good thing.

    However, I use the http://username.password@www.legitimatesite.ext to pass login information via the URL.

    Is a workaround planned?

    Matthew

  • Mark
    8 years ago
    Feb 04, 2004

    Just a pedantic comment - simply noticed a potential spell-check-getting-too-cocky error : third paragraph " used numerous times by intruders to spoof legitimate sights ". Should "sights" not read "sites"? A mistake like this doesn't look particularly professional. Its the sort of mistake that people who don't know anything about the internet make.

  • Power User
    8 years ago
    Feb 02, 2004

    You know, it is a shame that IE has to be targeted and exploited so often, but yet that is the way things go. I suppose these attacks are cleverly coded enough to have not been foreseen in the Microsoft testing labs. Also, I have read from supposedly adept programmers that Mozilla Firebird will kick IE's ass. Firebird sucks, plain and simple. I have yet to use anything of Netscape/Mozilla or ilk that comes anywhere near the usability and speed of IE's latest (with patches of course).

  • weere
    8 years ago
    Jan 29, 2004

    This is a pity

  • kumar mahadevan
    8 years ago
    Jan 28, 2004

    good info !

    thx

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

White Papers

Get your Windows 7 deployment off to the right start by implementing PC lockdown. A locked-down environment is easier and cheaper to support since users are less likely to make unnecessary changes to the core system configuration - read more here!

Essential Guides

Is your iSCSI "lossy"? The reality is that most off-the-shelf Ethernet hardware deployed for iSCSI can lose packets, resulting in slow performance or application downtime. Learn how to assess your current iSCSI infrastructure and engineer an advanced iSCSI SAN infrastructure.

Web Seminars

What's the best way to keep your network safe from malware? In this web seminar, security expert Greg Shields suggests an alternative method to the traditional blacklisting approach that is common with anti-virus and anti-malware solutions.

eLearning Series

We bring the experts direct to you to share their real-world perspective and expertise. During each event, three sessions stream in real time, so you can learn, ask questions, and get solutions.
Upcoming event: Getting the Most with Exchange 2010 with Paul Robichaux

Subscribe to Windows IT Pro!

Cloud IT Pro DevProConnections Left-Brain Mobile Dev Pro SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.