Microsoft gets rid of an IE feature to protect users

If you think about Microsoft’s Internet Explorer browser in evolutionary terms it has morphed at a rate that would make Darwin’s head spin. So in the never-ending whirl that is the browser’s feature set, Microsoft has decided to lose a feature – it is removing support for user logons in http URLs. A URL-based user logon looks like this: http://mark:webapps@www.gibbs.com

This URL form invokes the Web server’s basic authentication system to provide access to the use “mark” with the password “webapps” on the server www.gibbs.com.

But a forthcoming IE update (see links below) will disallow the use of the “@” character in URLs because crooks can use it “@” to obscure the true URL of a Web site.

This is how the scam works: Crooks would put an “@” sign in the URL to make it look real. And the reason it looked real was because the text to the left of the “@” was the name of the site to which a naïve victim would expect to go while the text to the right is the location of the crook’s site. For example: http://www.gibbs.com@somename.com/.

While this was a reasonable scheme in the early days of the Internet the inherent lack of security made it unacceptable once the ‘Net was commercialized.

And of course, there’s also a bug in IE (I know, I know, you’re shocked) that crooks have also been able to exploit. This bug allows a URL with the “%01” character in it to make IE display an incorrect URL in its address and status bars. Thus: http://www.gibbs.com%01@somename.com/.

The bug would cause IE to display http://www.gibbs.com in the address and status bars even though the link would really take the browser to http://somename.com.

Combine the feature with the bug and add a plausible pitch as if it came from a branded company and “phishing” expeditions become very simple.

When you install the update any URL with a “@” symbol will create an “invalid syntax error” message when clicked. Despite what you may have read elsewhere, Microsoft does not offer alternate methods of automating user logons. The advisory suggests:

“If users typically type HTTP or HTTPS URLs that include user information in the Address bar, or click links that include user information in HTTP or HTTPS URLs, you can work around this new functionality in Internet Explorer in two ways:

1. Do not include user information in HTTP or HTTPS URLs.

2. Instruct users not to include their user information when they type HTTP or HTTPS URLs.

“If the Web site uses the basic authentication method, Internet Explorer automatically prompts users for a user name and a password. In some cases, users can click the Remember my password box in the dialog box to save their credentials for later visits to that Web site.”

Terrific! The advisory does however discuss more useful workarounds for application and Web site developers.

While the advisory makes it sound as if this update is available let me know if you can find it anywhere because I’ve been looking since Jan. 2, and from what I can see it has yet to be released.