NEWS A critical security patch released this week that fixes vulnerabilities in Internet Explorer has left many users unable to access certain websites and internet resources.
Microsoft's latest IE update, which was released outside the monthly patching cycle, stops the company's browser from being used to transfer malicious code to a user's PC and fixes the URL spoofing flaw, but it also stops URLs from being used to access password-protected internet resources, a feature that many companies employ.
Up until June 2003, Microsoft itself thought the system safe enough to use in Passport, a secure repository designed to hold users' personal information, including their credit card numbers.
Richard Excoffier, founder of adult entertainment website Toteme, said that the IE update has left many of his customers complaining that they cannot access the site: "We distribute our software via shareware and the registration process uses the feature to communicate with our servers. We have a rapidly rising number of users complaining because they can't access the content and resources they have paid for," he said.
According to Excoffier, the company's system can be modified to work with IE within a few days, but in the cut-throat business of adult entertainment, losing a percentage of customers because they can't access the systems for even a short time means they will probably switch to a competitor: "The cost in human resources is not very high, we're more concerned about customers giving up because 'our system does not work' within the day or two we need to fix it," he said.
In addition, the effect of the patch appears to be inconsistent. Some users have found that even after the patch is applied, IE can still be used to access resources with a URL password, contrary to Microsoft's claims.
Microsoft was not available for comment.
Munir Kotadia writes for ZDNet UK
Comments
There are 5 comments. Join the discussion
1. Con
From reading BugTraq, where this issue has been widely discussed recently, two things become apparent. Make of them what you will:
1) This url format should never have been used for web requests in the first place, according to RFC1738.
2) Microsoft clearly states in it's knowledgebase article on this matter (http://support.microsoft.com/default.aspx?scid=kb;en-us;834489) how to revert back to the old behaviour.
2. John Airey
Security by mutilation? This is what was said on the Full Disclosure list.
Now if the browser put up a warning to say it was sending a username to a remote site, that would have been better.
In addition, links of the form https://username:password@host *are* encrypted, as no data passes from the browser to the server until the encrypted SSL session is set up.
3. Rory Alsop
I think you have some incorrect information. This is wrong, "Microsoft's latest IE update, which was released outside the monthly patching cycle, stops the company's browser from being used to transfer malicious code to a user's PC and fixes the URL spoofing flaw"
It doesn't do either of these. It is still possible to use the spoofing flaws in IE as the %01 and %02 issues have not been fixed, and it is still very possible to use the browser to transfer malicious code.
What it has done is disable the automatic sending of username and password, thus removing one simple attack vector.
4. Mike
So use Netscape or one of the other excellent browsers that will not be affected by this...
5. Joe
The following paragraph straight from the KB entry that was mentioned:
"Note In this case, Internet Explorer 6 Service Pack 1 (SP1) and Internet Explorer 6 for Microsoft Windows Server 2003 only display 'http://example.com' in the Address bar. However, earlier versions of Internet Explorer display 'http://www.wingtiptoys.com@example.com' in the Address bar."
So basicly, I'm glad I have IE5.5 SP2 on my system. No way in <you know where> I'm going to install 6+, if it has such 'helpful' features as URL obfusication on passworded sites (which is how this exploit worked - morons). Better to install Opera(gecko engine) or Netscape/Mozilla enviroments, and eliminate popups/unwanted autoredirects too.
Only serious issue was the Java byte verify bug, and a little reading of CWShredder's website fixed that little issue. :P