Educause Security Discussion mailing list archives

Re: IT-ISAC Information Bulletin re MS04-004

From: REN-ISAC <dodpears () INDIANA EDU>
Date: Tue, 3 Feb 2004 09:56:59 -0500

Specifically,

per http://support.microsoft.com/default.aspx?scid=kb;en-us;834489

Internet Explorer versions 3.0 and later support the following syntax for HTTP or HTTPS URLs:
http(s)://username:password@server/resource.ext. A malicious user could also use this URL syntax to create a hyperlink
that appears to open a legitimate Web site but actually opens a deceptive (spoofed) Web site. For example, the
following URL appears to open http://www.wingtiptoys.com but actually opens http://example.com:
http://www.wingtiptoys.com () example com. Additionally, malicious users can use this URL syntax together with other
methods to create a link to a deceptive (spoofed) Web site that displays the URL to a legitimate Web site in the Status
bar, Address bar, and Title bar of all versions of Internet Explorer.

The 832894 security update removes support for handling URLs of this form in Internet Explorer and Windows Explorer.
After you install the 832894 security update, Windows Explorer and Internet Explorer do not open HTTP or HTTPS sites by
using a URL that includes user information. By default, if user information is included in an HTTP or an HTTPS URL, a
Web page with the following title appears: Invalid syntax error.

At the Microsoft KB 834489 article referenced above, a number of workarounds for handling broken applications are
described, including how to disable the new behavior once the security update is applied.

Regards,

Doug Pearson

At 09:16 AM 2/3/2004 -0500, Ariel Silverstone wrote:

Colleagues,

In my view, this patch has the potential to break many an application in use
in Higher Ed due to the change in the URL rules.

Ariel Silverstone
Chief Information Security Officer
Temple University



-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of REN-ISAC
Sent: Monday, February 02, 2004 11:01 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] IT-ISAC Information Bulletin re MS04-004

Attached is the IT-ISAC summary bulletin regarding MS04-004.

Regards,

Doug Pearson

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

IT-ISAC Information Bulletin re MS04-004 REN-ISAC (Feb 02)
- <Possible follow-ups>
- Re: IT-ISAC Information Bulletin re MS04-004 Ariel Silverstone (Feb 03)
- Re: IT-ISAC Information Bulletin re MS04-004 REN-ISAC (Feb 03)
- Re: IT-ISAC Information Bulletin re MS04-004 Clyde Hoadley (Feb 03)
- Re: IT-ISAC Information Bulletin re MS04-004 Gary Flynn (Feb 03)