SKYHN
Lu.. Lu.. Lulululu
Premium
join:2001-09-16
99999 | The one thing to end all windows exploits:
A patch that disables windows  |
|
GNXPower
Got Boost?
Premium
join:2003-12-18
Huntington Beach, CA | I have the work around
Not using IE. |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA | "Don't click links"
Kinda like "Don't send links to your friends; instead, print out a web page and fax it to them" |
|
SND2005
Premium
join:2001-09-15
Im Over Here
 ·CWLab
1 edit | Hmmm....
It sucks that M$ has such a crappy attitude towards this- if they would just fess up and fix the thing people would more highly regard them.
On the other hand though, it doesn't take much common sense to avoid this. Are people really so stupid and/or lazy as to not book mark a site?! Yes, its an exploit- but thinking wouldn't hurt either. I bet if people spent half as much time trying to crack other browsers and Linux that there would be just as many issues. So to all you smug users of other browsers- just wait, your time is coming. |
|
nasadude
join:2001-10-05
Rockville, MD | like all good monopolies....
...Microsoft could give a sh*t about their customers.
Besides, they're not interested in browsers anymore, they won that war. |
|
T0rn
Premium
join:2001-05-11
USA
|  reply to SND2005
Re: Hmmm....
said by SND2005  :
I bet if people spent half as much time trying to crack other browsers and Linux that there would be just as many issues. So to all you smug users of other browsers- just wait, your time is coming.
Microsoft is a target, that's why. |
|
rchandra
Stargate S G-1 And Atlantis Fan
Premium
join:2000-11-09
14225-2105
clubs:
| typical MS
Typical Microsoft: break protocols, then claim it's sooooo much better for you. Market the heck out of it, then all but the sharp don't know any better. Dear MS: it's not rocket science; Mozilla for example has no problem with this, and we don't know what your problem is in obscuring stuff.
Actually, come to think of it, this is also right up their alley. Let's not show the user what the Web server sent you on an error; they probably can't handle that. No, let's put up our own "friendly" page with 3 paragraphs of cruft explaining what the problem might be instead, while the user has to wade through all that in order to find out what the problem really was. "Obscure as much of the real world as possible" is the Microsoft way, so it's no big surprise that they hide a NUL or SOH.
It's also soooo comforting to know that if it's two days after their monthly release cycle day when a new problem is discovered that my system will be broken in some way for another 28 or so days. I guess it's too "confusing" to have a properly working system.
--
English is a difficult enough language to interpret correctly when its rules are followed, let alone when a writer chooses not to follow those rules. Blog is here |
|
Maxo
Your tax dollars at work.
Premium,VIP
join:2002-11-04
Tallahassee, FL
clubs:
| WtF?
quote:
As a result, Microsoft will be eliminating the ability of IE to recognize the "@" character in URLS altogether - meaning websites that still use the character to denote user login information will need to change their ways once the next patch is applied. A second exploit that allows scammers to disguise true file extensions was unveiled earlier this week.
Huh? Mozilla firebird doesn't allow Phishing, yet I can still use username:password@domain-name.com. Why can't IE do the same.
--
Girls don't really like me That's why I hate myself Maybe it's cause of the way I look Or maybe it's something else »maxolasersquad.com |
|
93254336
Weapons Of Masturbation
Premium
join:2001-10-20
| Not limited to IE...
The [url]@[ip address] spoof problem is not limited to IE.
I tried the following on a Mac using Safari 1.0, IE 5.2.2, Mozilla 1.6, and Firebird 0.7:
»www.chase.com@158.171.210.42
and all the browsers redirected to 158.171.210.42 (Fleet Bank's website) rather than generating an error or displaying Chase Manhattan Bank's website.
- Dan
--
When are you going to let me out of this box? |
|
biggbrother
Premium
join:2001-11-07
Providence, RI | Lookslike you are correct. I find it amazing how people love to obsess over Internet Explorer's security problems. I'm at the point that a feel bad for Microsoft. They are being assailed from all corners. |
|
NPGMBR
join:2001-03-28
Arlington, VA | This is funny. I bet the *nix camp will have a valid explanation for it. |
|
CCCMTech
Premium,VIP,MVM
join:2002-05-17
Pound, VA
| Easy to to avoid being phished
If you are going to a site that you fear may be a phishing exploit (site you don't trust)
Simply right click the link and goto properties there you will see "somedomain.com%01@realdomain.com" except the %01 will be a wild character more like ||. Haven't ran across the download phishing yet. Should be able to do the same on it though.
(smart site would disable right click if they're going to phish).
--
Thank you for choosing SBC Internet Services. My name is Rick. How may I help you today? |
|
ikarus1
Premium
join:2002-10-23
Urbanna, VA
| reply to T0rn
Re: Hmmm....
said by T0rn :
said by SND2005 :
I bet if people spent half as much time trying to crack other browsers and Linux that there would be just as many issues. So to all you smug users of other browsers- just wait, your time is coming.
Microsoft is a target, that's why.
Naw... Microsoft is a joke that is why. Look it is really simple. It really is, and you Microsux lovers are in serious denial...
We (Computer Scientists) have known for forty years that it was stupid to allow Joe $hit the RagMan... AKA LUSER to run with administrative privs on any system. Now, kiddies, the truth is Microsux knew that when they started down this path. They knew they shouldn't let, "Bubba LUSER", run with admin privs but they did not know how to get around the problems that would cause with MS-DOS apps and their installed base.... sooooo.... they just decided in their marketing driven engineering shop to IGNORE CONVENTIONAL PRUDENCE... They knew they shouldn't do it. They did it anyway. Now they are running on top of some forty or fifty million lines of code that was written on top assumptions which are known to be BAD PRACTICE. They aren't going to fix this problem because they can't fix it. Their system is a monolith, commonly recognized as BAD PRACTICE by the Computer Scientists world wide. Their monolith presumes the user at the console should have administrative rights, commonly recognized as BAD PRACTICE by Computer Scientists world wide.
Kiddies... this is not that hard to understand... but there are some who are so deeply in denial that saying it won't help... Microsloth knowingly screwed the pooch to ensure that they kept market share, with the mistaken belief that they could defy conventional wisdom and survive it. NOW YOU ARE PAYING THE PRICE... and kiddies, that is something you can't deny.
-m-
--
»www.freeantennas.com |
|
MacUser04
@12.151.x.x
| reply to SND2005
quote:
I bet if people spent half as much time trying to crack other browsers and Linux that there would be just as many issues. So to all you smug users of other browsers- just wait, your time is coming.
Bszzt, Wrong. It's because of poor code and security on the Windows side. UNIX'es are more secure and that's an undeniable fact. It has nothing to do with focusing attnetion on Windows. It has to do with the fact that on Windows security was an afterthought, where with UNIX'es it was the main goal.
Difference in development ideologies and the fact that UNIX has been around since the 60's make it a much more stable and secure platform than Windows can ever hope to be. |
|
MacUser04
@12.151.x.x
| reply to 93254336
Re: Not limited to IE...
Yes, but in the address on IE you get:
»158.171.210.42/home.asp
On the Address in Mozilla you get:
»www.chase.com@158.171.210.42/home.asp
On IE you think all is fine. On Mozilla you can tell something looks Phishy... |
|
ikarus1
Premium
join:2002-10-23
Urbanna, VA
1 edit | reply to 93254336
said by 93254336 :
The [url]@[ip address] spoof problem is not limited to IE.
I tried the following on a Mac using Safari 1.0, IE 5.2.2, Mozilla 1.6, and Firebird 0.7:
»www.chase.com@158.171.210.42
and all the browsers redirected to 158.171.210.42 (Fleet Bank's website) rather than generating an error or displaying Chase Manhattan Bank's website.
- Dan
While you're at it Dan... Try this on the other browsers...
»www.infoworld.com/article/04/01/···e_1.html
then consider the combination of the one exploit and the second and you may begin to have a clue.
-m-
--
»www.freeantennas.com |
|
SND2005
Premium
join:2001-09-15
Im Over Here
·CWLab
| reply to MacUser04
Re: Hmmm....
Haaa haaa haaaaa haaaaa......You freakish people are so funny. This isn't even about a "who is better" type war as you all would like to make it. (Windows would appear to better if you look at sales.. )
The problems will come for whomever is the leader in the market- which is Mircosoft, so eat it. |
|
dda
Premium
join:2003-12-29
Bolton, MA
| reply to NPGMBR
Re: Not limited to IE...
The explanation is that is valid behaviour; it is what the browser should do. Anything before that @ is considered username/password info (in this case, just username) and is passed to the site if it requests credentials.
The problem comes in when the address bar doesn't display the information correctly so you think you are somewhere that you are not. What did the address bar display when you tried that?? It should say you were on 158.171.210.42 rather than on www.chase.com; my understanding of phishing is that the browser doesn't show you what site you are really on. |
|
Freezone
join:2000-09-29
Southfield, MI
| reply to ikarus1
Re: Hmmm....
said by ikarus1 :
Microsloth knowingly screwed the pooch to ensure that they kept market share, with the mistaken belief that they could defy conventional wisdom and survive it. NOW YOU ARE PAYING THE PRICE... and kiddies, that is something you can't deny.
-m-
Well, I am pissed I did not think of doing what MS did first  . Having Bill Gates money does not hurt at all. I am sure he losses sleep everynight with all the trouble he has caused.
Microsoft survived becuase they are a business. We had and have better OS made by scientist. Scientist are still pissed that us LUSER have the power that we have. For the better part of the last 40 years computing belonged only to the scientist. Companies like MS and Apple came and gave some of that power to the people.
I thank god for the PC, becuase I am glad the world of dumb terminals did not survive. Despite the constant problems with windows I will keep my computing power in my own controll thank you. |
|
Freezone
join:2000-09-29
Southfield, MI | reply to Maxo
Re: WtF?
Ok i have to admit this is bad. |
|
