Go Back  DVD Talk Forum > General Discussions > Tech Talk
Reload this Page >

microsoft's solution to the @ url spoofing vulnerablility

Tech Talk Discuss PC Hardware, Software, Internet and Other Technology

microsoft's solution to the @ url spoofing vulnerablility

Old 01-30-04, 12:52 AM
  #1  
DVD Talk Hero
Thread Starter
 
Join Date: Aug 2000
Location: Bartertown due to it having a better economy than where I really live, Buffalo NY
Posts: 29,706
Likes: 0
Received 0 Likes on 0 Posts
microsoft's solution to the @ url spoofing vulnerablility

their solution:
manually type the url
what a joke

support.microsoft.com/default.aspx?scid=kb;%5Bln%5D;833786
The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself. By manually typing the URL in the address bar, you can verify the information that Internet Explorer uses to access the destination Web site. To do so, type the URL in the Address bar, and then press ENTER.
because we're too lazy to patch our programs
Old 01-30-04, 12:58 AM
  #2  
DVD Talk Ultimate Edition
 
Join Date: Aug 2002
Location: Bonney Lake, WA
Posts: 4,278
Likes: 0
Received 0 Likes on 0 Posts


so...ridiculous...
Old 01-30-04, 01:21 AM
  #3  
DVD Talk Hall of Fame
 
Blake's Avatar
 
Join Date: Feb 1999
Location: Orange
Posts: 7,737
Likes: 0
Received 0 Likes on 0 Posts
I always thought that was how everyone did it.

(and like I heard on the radio this weekend, they're not patches, because that would indicate something was wrong in the first place - they're "service packs" )
Old 01-30-04, 01:31 AM
  #4  
X
Administrator
 
X's Avatar
 
Join Date: Oct 1987
Location: AA-
Posts: 10,764
Likes: 0
Received 4 Likes on 3 Posts
There's an even more "effective step you can can take to help protect yourself from malicious hyperlinks".

Don't use Internet Explorer!
Old 01-30-04, 02:00 AM
  #5  
DVD Talk God
 
Deftones's Avatar
 
Join Date: Oct 1999
Location: Arizona
Posts: 75,009
Likes: 0
Received 5 Likes on 4 Posts
i type in most of my urls anyway
Old 01-30-04, 08:55 AM
  #6  
Mod Emeritus
 
Join Date: Feb 1999
Location: Gone to the islands - 'til we meet again.
Posts: 19,053
Likes: 0
Received 0 Likes on 0 Posts
The version of McAfee I have pops up a warning if you open a page that contains a link of this nature. It's nice to know that someone is trying to keep Microsoft's software from getting us into trouble.
Old 01-30-04, 11:15 AM
  #7  
DVD Talk Special Edition
 
Join Date: May 2000
Location: LA
Posts: 1,388
Likes: 0
Received 0 Likes on 0 Posts
Is @ redirection really a Microsoft problem though? I thought it was part of the definition of a web addressing. Besides, how would people who don't know what the @ symbol does in a URL if you were to format it to look something like this:

http://[email protected]
Old 01-30-04, 12:16 PM
  #8  
DVD Talk Legend
 
Join Date: Oct 1999
Location: |-|@><0r [email protected]|)
Posts: 17,214
Likes: 0
Received 0 Likes on 0 Posts
Originally posted by Blake
I always thought that was how everyone did it.
You mean you can just click on those underlined parts? My, that would have been useful to know.

A Microsoft rep once recommended that people should close applications by clicking on File and selecting Close. As in, don't use the X at the top-right, don't use Alt-F4, and don't right-click on the taskbar entry and select Close.

"Why?" I said, "all of those should map to the same function, right?"

He said, "well, they kind of don't, so the functionality may be a little different."

- David Stein
Old 01-30-04, 12:41 PM
  #9  
X
Administrator
 
X's Avatar
 
Join Date: Oct 1987
Location: AA-
Posts: 10,764
Likes: 0
Received 4 Likes on 3 Posts
Originally posted by sfsdfd
A Microsoft rep once recommended that people should close applications by clicking on File and selecting Close. As in, don't use the X at the top-right, don't use Alt-F4, and don't right-click on the taskbar entry and select Close.

"Why?" I said, "all of those should map to the same function, right?"

He said, "well, they kind of don't, so the functionality may be a little different."
He's right about that. The X goes to a predefined subroutine and File->Close goes wherever the programmer wants it to go. They have to tell it what to do when you end the program that way.

Usually the programmer would tell it to go to the same place as the X, but not always. But at least by going through File->Close you know they put in their own closing code if the program actually ends.
Old 01-30-04, 05:21 PM
  #10  
Mod Emeritus
 
Join Date: Feb 1999
Location: Gone to the islands - 'til we meet again.
Posts: 19,053
Likes: 0
Received 0 Likes on 0 Posts
Originally posted by UWSarge
Is @ redirection really a Microsoft problem though? I thought it was part of the definition of a web addressing. Besides, how would people who don't know what the @ symbol does in a URL if you were to format it to look something like this:

http://[email protected]

The problem that IE has is that you can't see the redirection at all, only the http://goingtoredirectyou.com
Old 01-30-04, 06:31 PM
  #11  
DVD Talk Hall of Fame
 
Blake's Avatar
 
Join Date: Feb 1999
Location: Orange
Posts: 7,737
Likes: 0
Received 0 Likes on 0 Posts
The redirect worked for me, however 1107797217 took me nowhere.
Old 01-30-04, 06:57 PM
  #12  
DVD Talk Special Edition
 
Join Date: May 2000
Location: LA
Posts: 1,388
Likes: 0
Received 0 Likes on 0 Posts
Originally posted by Blake
The redirect worked for me, however 1107797217 took me nowhere.
Really ? I tried it both in Opera and IE and they both took me to DVDtalk.

http://1107797217
Old 01-31-04, 12:54 PM
  #13  
DVD Talk Legend
 
Join Date: Jun 2000
Location: NYC
Posts: 17,018
Likes: 0
Received 0 Likes on 0 Posts
www.dvdtalk.com

Malicious indeed..!
Old 01-31-04, 05:20 PM
  #14  
toq
Senior Member
 
Join Date: Mar 2003
Posts: 522
Likes: 0
Received 0 Likes on 0 Posts
It seems like Microsoft will be releasing a "patch" to remedy this. How? Simply by removing the feature altogether.

Microsoft plans to release a software update that modifies the default behavior of Internet Explorer for handling user information in HTTP and HTTPS URLs
To mitigate the issues that are discussed in the "Background information" section of this article, Microsoft plans to release a software update that removes support for handling URLs of this form in Internet Explorer and Windows Explorer. After you install this software update, Windows Explorer and Internet Explorer do not open HTTP or HTTPS sites by using a URL that includes user information. By default, if user information is included in an HTTP or an HTTPS URL, a Web page with the following title appears:

Invalid syntax error
Old 02-03-04, 12:11 PM
  #15  
X
Administrator
 
X's Avatar
 
Join Date: Oct 1987
Location: AA-
Posts: 10,764
Likes: 0
Received 4 Likes on 3 Posts
The patch arrived and it works... by not working.
Old 02-03-04, 03:47 PM
  #16  
Senior Member
 
Join Date: May 2000
Location: Vancouver, BC
Posts: 645
Likes: 0
Received 0 Likes on 0 Posts
You've just gotta love MS' solutions to these problems... don't fix the bug, God no.. just make it so you can't use that feature anymore. <sigh>.
Old 02-03-04, 05:44 PM
  #17  
DVD Talk Platinum Edition
 
Join Date: Oct 1999
Location: South Surrey, BC
Posts: 3,990
Likes: 0
Received 0 Likes on 0 Posts
"Why?" I said, "all of those should map to the same function, right?"
They should, but they don't have to. All three can be trapped and processed in nonstandard ways.

As a refresher, I had a quick look at the code the VC++ .NET wizard generated for a Win32 skeleton app. The close-box and ALT-F4 messages are simply sent to the default window handler, while the WM_COMMAND message generated by the "Exit" click is processed directly (with a call to the API routine DestroyWindow()).

RD

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Thread Tools
Search this Thread

Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service - Do Not Sell My Personal Information

Copyright 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.