[ISN] IE security patch nixes some apps

From: InfoSec News (isn@private)
Date: Thu Feb 05 2004 - 03:03:37 PST

  • Next message: InfoSec News: "[ISN] 'We're Making Rapid Progress'"

    http://news.com.com/2100-7355_3-5153534.html
    
    By Robert Lemos 
    Staff Writer, CNET News.com
    February 4, 2004
    
    Some Web developers are complaining that an Internet Explorer patch
    that's meant to foil Net scams is disabling some applications that
    didn't put a premium on security.
    
    Microsoft last week announced that a modification to its IE browser
    would stop the insecure practice of including sensitive information in
    links. The update, which was released Monday, had some Web site
    programmers up in arms Wednesday due to complaints from Web users that
    they could no longer log in to sites that secure entry through
    credentials included in the URL.
    
    "Microsoft may have legitimate reasons for addressing the issue, but
    the way they addressed it--an across-the-board kill of an industry
    standard--is troublesome," said James Rosko, a software engineer for a
    data-processing service on the Web. He and other programmers spent
    Tuesday night making changes to the programs that process login
    requests for his company's Web site, which he requested not be named.
    
    The incident could be the first known case of Microsoft getting
    attention for putting security before a feature used by some of its
    customers. Microsoft promised to put security first when it launched
    its Trustworthy Computing Initiative more than two years ago. But some
    critics have claimed that they haven't seen many results.
    
    "I really look at it from the standpoint of the majority of
    customers," said Stephen Toulouse, security program manager at
    Microsoft's security response center. "Our customers have said, 'We
    want security,' and so that is the change that we gave them."
    
    The problem occurs when programmers design a Web site to enable a Web
    user to log in by typing credentials into the URL. In such cases, the
    Web address might look like this:  
    http://username:password@private/program.ext. The link
    gives the person access to a company's Web site when the
    authentication program verifies the username and password.
    
    Because the username and password are part of the Web address and are
    not encrypted, embedding the credential in the URL is considered a
    security risk, said William Kennedy, chief technology officer at
    ActivMedia Robotics and the co-author of "HTML & XHTML: The Definitive
    Guide."
    
    "It was a dumb idea to include such functionality in the first place,"  
    Kennedy said. "There are millions of other ways of logging in to a
    site."
    
    However, that sentiment was not what made Microsoft disable the
    feature. The software giant made the change to stop scam artists from
    constructing URLs that appeared to link to a legitimate Web site but
    actually directed people to a fraudulent site. For instance, a URL
    that appears to go to eBay could actually send the person to a
    fraudulent site such as: http://www.ebay.com@private
    
    The fake site will typically ask for a person's username and password
    and then use that information to complete a scam. Major banks and
    other financial Web sites, such as PayPal, are popular targets of such
    fraud, often called "phishing." The Federal Deposit Insurance Corp.,
    the government organization that underwrites U.S. citizens' banks
    accounts, recently warned of a similar scam.
    
    "I suspect most folks never heard of this feature," said Richard
    Smith, a privacy and security expert. "The big exception, of course,
    is the phishing scam artists."
    
    Programmer Rosko acknowledges that putting the username and password
    in the URL is not very secure, but he stressed that some applications
    don't need the security.
    
    "This is for noncritical information," he said. "It is information
    that we would just rather not have everyone on the Web have access
    to."
    
    In some cases, making the change after the IE update has been
    difficult.
    
    Angus Systems Group, an online service that allows commercial property
    owners to manage tenant requests, uses URL credentials so that users
    can log in to a third-party application that generates reports. The
    application is not sensitive enough to require individual logins; so
    users typically log in as part of a group by using a specific URL.
    
    "It wouldn't be that much of an issue, if it was a per-user basis--if
    the user was responsible for their own credentials," said Brad Aisa,
    senior architect for Angus Systems. "Unfortunately, we don't have any
    control over that aspect of (the third-party application's) security."
    
    Aisa wasn't aware of the issue until customers started complaining.
    
    "All of a sudden, you come in one day, and things aren't working
    anymore, because (Microsoft has) determined that a way they are doing
    things is not secure," he said. "There should be an opt-in system for
    that."
    
    After looking at the options, Angus Systems will likely have to
    reverse Microsoft's security move by giving people a registry update
    to turn off that part of the patch, Aisa said.
    
    CNET News.com's Paul Festa contributed to this report.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Feb 05 2004 - 05:43:27 PST