|
|
 Microsoft to Strike Passwords from URLs in IE
By David Worthington, BetaNews
January 29th, 2004, 5:23 AM
Due in large part to December's highly publicized URL spoof attacks, Microsoft intends to release a patch for Internet Explorer that will modify the way the browser handles user credentials.
According to a recent knowledge base article, support for user names and passwords will now be stricken from URLs.
This modification is based upon the findings of Demark based security firm
Secunia, which on Wednesday released another advisory revealing
additional spoofing vulnerabilities in IE. The latest advisory warns that a
spoofing attack could potentially obfuscate the extensions of downloaded files
by embedding a CLSID in the file name. Users would in turn not know the true
file type of the content they are downloading.
Specifically to address
issues such as these, the patch from Microsoft will disallow the format
"username:password@host.com" from being used to pass credentials in HTTP and
HTTPS URLs. This format allowed hackers to spoof legitimate domain names by way
of specially crafted URLs intended to facilitate convincing "phishing" schemes,
or even cross site
scripting attacks.
Source: BetaNews
|
|
|
 |
|
No Comments Allowed for Anonymous, please register |
|
| |
|
Login |
|
 |
|
|
|
|
· New User? · Click here to create a registered account.
|
|
|
Article Rating |
|
|
|
|
|
|
Average Score: 0
Votes: 0
|
|
|
