Hello Thor, Tuesday, February 3, 2004, 9:02:11 AM, you wrote: TL> This has already been implemented in the out-of-schedule IE patch they TL> released yesterday, MS04-040. This is also the first time they broke their TL> promised monthly patch schedule, so far they have released patches in the TL> second week of the month. TL> http://www.microsoft.com/technet/security/bulletin/MS04-004.asp There was a case of an "escaped" fix last month, wasn't there? TL> However, if you hover your mouse over such a link you will see the status TL> bar of the browser still displays the incorrect link. It seems like the TL> incorrect parsing code is still there, but the current attack vector is TL> gone - time to look for other pathways. So this really IS a case of gutting a "feature" to spite a bug, without actually fully fixing the bug. Or did I misunderstand you? Were you referring to the %00 FQDN spoofing vulnerability or just the display of the username:password in the URL bar? I'll go answer those questions myself. *g* Ok, I've confirmed that one (status bar showing spoofed domain with %00) at secunia's test page. Of course, there are many other ways to manipulate the status bar on a mouseover, but this flaw still applies to some small extent. http://www.secunia.com/internet_explorer_address_bar_spoofing_test/ The spoofing flaw does appear to be entirely gone in the URL bar, though. In one way or another, at any rate. URL's spoofed with %00 in them issue an "invalid syntax" error regardless of the state of the new registry keys mentioned in the KB. This is done without modifying what is shown in the URL bar. Everything is shown, including the spoofed string and the real domain. Maybe people could be fooled into dialing a telephone number or sending in the information by email "if this website is down due to high demand". This isn't MS's problem IMO, though. If the registry keys are set and no unusual characters are present, the page loads as expected, however the username:password string is removed from the URL bar (I havn't tested whether a basic authentication login will still occur). So, the bug does seem to be fixed except on the status bar when mousing over a link that is trying to spoof a destination. -- Best regards, Sam mailto:sschinke@myrealbox.com
