Microsoft's URL handling 'fix' for IE comes under fire

By Alun Williams

Posted on 6 Feb 2004 at 13:20

Microsoft's HTTP-related patch for Internet Explorer, over the use of spoofed URLs, has come under fire. The technique is often used by attackers 'phishing' for user's financial details.

Critics allege that the new restriction of HTTP functionality for URL syntax is actually harmful for a wide variety of legitimate users and that users will still be left vulnerable to malicious attackers.

The patch, which followed the Knowledge Base Article - 834489, relates to the use of 'deceptive' URLs so that the syntax http(s)://username:password@server/resource.ext will no longer be supported by IE or Windows Explorer. Up till now, a malicious user could use this syntax to create a hyperlink that appears to open a legitimate Web site but actually opens a spoofed Web site.

Paul Ockenden, Technical Director of CST Group, and more familiarly a Contributing Editor to PC Pro, believes the detrimental impact of the change will be widespread. 'Although embedded usernames and passwords within HTTP links aren't that common at the consumer end of the market, they have become quite common in Business to Business enterprises,' said Ockenden. 'Examples include image libraries, intranets, and customer support. New drivers, for example, are often posted on password protected parts of Web sites, and the URL with embedded username and password emailed to the end user. Companies using such embedded links are going to have to rethink their systems and processes.'

Stuart Okin, Microsoft UK's Chief Security Strategist responded that while is was not possible to know the exact extent of such URL usage, Microsoft had received little negative feedback from businesses it has contacted.

A Registry change can re-enable the functionality, Okin mentioned, but didn't suggest that this was a viable solution for application providers. Otherwise they would be in the position of having to tell end users to change their Registry settings before clicking a link.

Paul Ockenden also criticised Microsoft's approach to the issue of what is actually displayed in the URL address bar. 'What's really annoying ,' he told us, 'is that we were expecting Microsoft to fix a bug which meant that it was possible to fool IE into displaying an incorrect address in the address bar. Instead of fixing this bug, they've switched off a whole area of functionality.'

'But the worst thing is they've made this change without giving any notice to developers,' he added.

Okin, in response, questioned how many people actually examine the content of the address bar before clicking a link. He said that the change to ensure that previously hidden characters were now displayed was a positive step.

He conceded that application developers would be inconvenienced by the change but insisted the company faced a trade-off with quickly responding to security concerns. 'Microsoft has a clear focus to improve on security matters,' he insisted.

The point remains that care needs be exercised before invoking any hyperlinks in email. In more general terms, end users still need to be made more aware of their own security. Okin recommended that users, when faced with an email link from a familiar company, should always use a stored bookmark as the starting point of navigation, rather than clicking on the link itself.

What are your views on this matter? Can the spoofing of URLs ever be completely prevented? Leave a comment via the link below.