Computer Cops - Microsoft to Strike Passwords from URLs in IE

New User? Need help? Click here to register for free! Registering removes the advertisements.

Computer Cops

	Donations

	If you found this site helpful, please donate to help keep it online Don't want to use PayPal? Try our physical address

	Prime Choice

	· Head Lines · Advisories (All) · Dnld of the Week! · CCSP News Ltrs · Find a Cure! · Ian T's (AR 22) · Marcia's (CO8) · Bill G's (CO10) · Paul's (AR 5) · Robin's (AR 2) · Ian T's Archive · Marcia's Archive · Bill G's Archive · Paul's Archive · Robin's Archive

	Security Central

	· Home · Wireless · Bookmarks · CLSID · Columbia · Community · Downloads · Encyclopedia · Feedback (send) · Forums · Gallery · Giveaways · HijackThis · Journal · Members List · My Downloads · PremChat · Premium · Private Messages · Proxomitron · Quizz · RegChat · Reviews · Search (Topics) · Sections · Software · Statistics · Stories Archive · Submit News · Surveys · Top · Topics · Web Links · Your Account

	CCSP Toolkit

	· Email Virus Scan · UDP Port Scanner · TCP Port Scanner · Trojan TCP Scan · Reveal Your IP · Algorithms · Whois · nmap port scanner · IPs Banned [?]

Survey

How much can you give to keep Computer Cops online?

	$10 up to $25 per year?
	$25 up to $50 per year?
	$10 up to $25 per month?
	$25 up to $50 per month?
	More than $50 per year?
	More than $50 per month?
	One time only?
	Other (please comment)

Results
Polls

Votes: 829
Comments: 19

Translate

microsoft: Security HeadLines: Microsoft to Strike Passwords from URLs in IE

Microsoft

Microsoft to Strike Passwords from URLs in IE

By David Worthington, BetaNews January 29th, 2004, 5:23 AM

Due in large part to December's highly publicized URL spoof attacks, Microsoft intends to release a patch for Internet Explorer that will modify the way the browser handles user credentials.

According to a recent knowledge base article, support for user names and passwords will now be stricken from URLs.

This modification is based upon the findings of Demark based security firm Secunia, which on Wednesday released another advisory revealing additional spoofing vulnerabilities in IE. The latest advisory warns that a spoofing attack could potentially obfuscate the extensions of downloaded files by embedding a CLSID in the file name. Users would in turn not know the true file type of the content they are downloading.

Specifically to address issues such as these, the patch from Microsoft will disallow the format "username:[email protected]" from being used to pass credentials in HTTP and HTTPS URLs. This format allowed hackers to spoof legitimate domain names by way of specially crafted URLs intended to facilitate convincing "phishing" schemes, or even cross site scripting attacks.

Source: BetaNews

Posted on Thursday, 29 January 2004 @ 09:27:56 EST by cj

	Login

	Nickname Password · New User? · Click here to create a registered account.

	Related Links

	· TrackBack (0) · News.com · PHP HomePage · Microsoft · HotScripts · W3 Consortium · Google Microsoft Search · Microsoft · Technet Online · HotFix & Security Bulletins · More about Microsoft · News by cj Most read story about Microsoft: Internet Explorer file:// Request Zone Bypass Vulnerability

	Article Rating

	Average Score: 0 Votes: 0 Please take a second and vote for this article:

	Options

	Printer Friendly Page

"Login" | Login/Create an Account | 0 comments

Threshold

The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register


	Home · Topics · Submit News · Top 10 This entire site, Cops Themes, and Computer Cops are © 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright © 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 881 pages served in previous 5 minutes. Page Generation: 0.236 seconds.