Educause Security Discussion mailing list archives
Re: IT-ISAC Information Bulletin re MS04-004
From: REN-ISAC <dodpears () INDIANA EDU>
Date: Tue, 3 Feb 2004 09:56:59 -0500
Specifically, per http://support.microsoft.com/default.aspx?scid=kb;en-us;834489 Internet Explorer versions 3.0 and later support the following syntax for HTTP or HTTPS URLs: http(s)://username:password@server/resource.ext. A malicious user could also use this URL syntax to create a hyperlink that appears to open a legitimate Web site but actually opens a deceptive (spoofed) Web site. For example, the following URL appears to open http://www.wingtiptoys.com but actually opens http://example.com: http://www.wingtiptoys.com () example com. Additionally, malicious users can use this URL syntax together with other methods to create a link to a deceptive (spoofed) Web site that displays the URL to a legitimate Web site in the Status bar, Address bar, and Title bar of all versions of Internet Explorer. The 832894 security update removes support for handling URLs of this form in Internet Explorer and Windows Explorer. After you install the 832894 security update, Windows Explorer and Internet Explorer do not open HTTP or HTTPS sites by using a URL that includes user information. By default, if user information is included in an HTTP or an HTTPS URL, a Web page with the following title appears: Invalid syntax error. At the Microsoft KB 834489 article referenced above, a number of workarounds for handling broken applications are described, including how to disable the new behavior once the security update is applied. Regards, Doug Pearson At 09:16 AM 2/3/2004 -0500, Ariel Silverstone wrote:
Colleagues, In my view, this patch has the potential to break many an application in use in Higher Ed due to the change in the URL rules. Ariel Silverstone Chief Information Security Officer Temple University -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of REN-ISAC Sent: Monday, February 02, 2004 11:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] IT-ISAC Information Bulletin re MS04-004 Attached is the IT-ISAC summary bulletin regarding MS04-004. Regards, Doug Pearson ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- IT-ISAC Information Bulletin re MS04-004 REN-ISAC (Feb 02)
- <Possible follow-ups>
- Re: IT-ISAC Information Bulletin re MS04-004 Ariel Silverstone (Feb 03)
- Re: IT-ISAC Information Bulletin re MS04-004 REN-ISAC (Feb 03)
- Re: IT-ISAC Information Bulletin re MS04-004 Clyde Hoadley (Feb 03)
- Re: IT-ISAC Information Bulletin re MS04-004 Gary Flynn (Feb 03)