by Don Park
at 2003/12/11 15:15:45
I had my doubts, but the URL spoofing bug in IE that Microsoft is supposedly investigating is really there. The link-happy blogosphere, filled with copy-and-paste addicts, is a ready victim to this bugger (via Zap The Dingbat).
The bug is caused by simply inserting '%01' in front of '@' character in URLs like foobar@blahblah.com to hide the real domain name from the fake one which goes in front of the '%01' (see the HTML source for this post).
As an architect, this sort of bugs takes a lot of energy out of me. Ever feel betrayed by the ground you walk on? It's like discovering that everything you designed was built on a gigantic turtle that just woke up. I have obviously exaggerated the size of the problem but this sort of bullshit just upsets my stomach.
Another thing that upsets my stomach is getting all excited enough about something to invest months into it just to wake up and realize that there is no reason for people to use it. There is a quite a bit of that in the web services and Atom hypes. Get in the habit of asking Why Would They? if you can't take the disappointments. IT is NOT about YOU, but ALL about THEM, the people who will be using what you build.
Update:
On my IE 6 running on XP with all the latest patches, this is what I see after pressing the "Test Exploit" button.
Comments
Sorry, doesn't work on my Mozilla 1.6a :-)
Opera is not vulnerable. Upon clicking your test link, I get a "Security Warning. You are about to go to an address containing a username".
It's nice that Mozilla and Opera doesn't have the bug. Unfortunately, 90% of the web users are using IE. Like I wrote, it's not about YOU, the geeks who are informed and self-assured enough to change browsers, but THEM, the people who will just nod their head if someone tells them that not to point their fingers at the screen.
just what is it susposed to look like? Your source comes through as this in both IE and Mozilla (bracket change):
Don: "IT is NOT about YOU, but ALL about THEM, the people who will be using what you build."
Disclaimer: for the last 4+ years, I have made EVERY SINGLE PENNY of my income using a Microsoft product. I am not anti-MS, an open source zealot, etc, etc.
Agreed, there is absolutely no reason for you not to use Firebird. If IE is a turtle, it's one that's been sleeping for over a year and won't ever wake up. Even Microsoft said they won't be updating it. Firebird is a wonderful browser, Mozilla is great and I hear nothing but good about Opera. So why stay? Are there a million ActiveX pages you just simply have to view?
All of the browser makers have done virutally nothing to combat the increasing problem of spoof sites.
What is the connection between IE being insecure and Atom's development? This is a red herring. I also don't understand why you're so hell-bent on destroying Atom. I'm genuinely curious. If you're so sure it's insignificant, why not just ignore it until it goes away?
Upcoming Don Park posts:
Funnily enough, a new draft of the Atom Format spec came out today, and an update to the API spec a few days ago.
"IT is NOT about YOU, but ALL about THEM, the people who will be using what you build"
Hmmmm. What's Atom? Oh, nevermind, its probably not important. I'll just go back to actually getting work done...
1. I *do* use Firebird. It's not about me, but the people who use what I build that I worry about. That is my default perspective whenever I am talking about software.
1. Good man.
Make sure you have the 'right end' of the lamb in your picture. :-p
Any browser is likely to have security holes. Nobody (that you know about) is looking for the holes in Firebird, Opera, etc., that's all. The ones in IE are too much fun - you can mess with *90%* of the planet with them. But you can bet that in the coming months, you will hear about exploits involving at least one other browser.
Interestingly, the bug does not show up in MyIE2, which (I thought?) is just a shell around IE. The underlying browser is IE 6 on WInXP. But maybe I'm wrong...
The bug seems to be in IEXPLORE.EXE, not the IE browser control.
Apple's Safari sees it correctly but doesn't get excited enough--I'd like it to warn me like Opera does. Heck, anytime an @ appears in a URL it should say something to the effect that "You are about to log in to the website scamzrus.com as user microsoft.com. Is this really what you wanted to do?" As for the 90% of the world using Windows IE, don't worry! They probably already have a virus or a keystroke watcher on their machine because they also use Outlook... ;-)
Oops, actually when I *manually* paste the link into Safari it goes there and shows the whole link. Just clicking on the button doesn't do anything at all for some reason. But I still want my '@' warning.
My IExplore.exe doesn't show the bug. I'm using the italian version on win2k.
Sorry, doesn't work on my Mozilla 1.6a :-)
Opera is not vulnerable. Upon clicking your test link, I get a "Security Warning. You are about to go to an address containing a username".
It's nice that Mozilla and Opera doesn't have the bug. Unfortunately, 90% of the web users are using IE. Like I wrote, it's not about YOU, the geeks who are informed and self-assured enough to change browsers, but THEM, the people who will just nod their head if someone tells them that not to point their fingers at the screen.
just what is it susposed to look like? Your source comes through as this in both IE and Mozilla (bracket change):
Don: "IT is NOT about YOU, but ALL about THEM, the people who will be using what you build."
Disclaimer: for the last 4+ years, I have made EVERY SINGLE PENNY of my income using a Microsoft product. I am not anti-MS, an open source zealot, etc, etc.
Agreed, there is absolutely no reason for you not to use Firebird. If IE is a turtle, it's one that's been sleeping for over a year and won't ever wake up. Even Microsoft said they won't be updating it. Firebird is a wonderful browser, Mozilla is great and I hear nothing but good about Opera. So why stay? Are there a million ActiveX pages you just simply have to view?
All of the browser makers have done virutally nothing to combat the increasing problem of spoof sites.
What is the connection between IE being insecure and Atom's development? This is a red herring. I also don't understand why you're so hell-bent on destroying Atom. I'm genuinely curious. If you're so sure it's insignificant, why not just ignore it until it goes away?
Upcoming Don Park posts:
Funnily enough, a new draft of the Atom Format spec came out today, and an update to the API spec a few days ago.
"IT is NOT about YOU, but ALL about THEM, the people who will be using what you build"
Hmmmm. What's Atom? Oh, nevermind, its probably not important. I'll just go back to actually getting work done...
1. I *do* use Firebird. It's not about me, but the people who use what I build that I worry about. That is my default perspective whenever I am talking about software.
Do any of you cats know how to stop mozilla 1.7 from giving me that annoying pop up warning everytime I navigate to a different page within the same site. i have already said i trust it.
V. annoying... there should be a checkbox saying something like 'do not show this warning anymore for pages withing this site/domain.' or something similar.
V. annoying... there should be a checkbox saying something like 'do not show this warning anymore for pages withing this site/domain.' or something similar.
Hi, how are you?
Please exchange link with my site.
Have a nice day.
Please exchange link with my site.
Have a nice day.
Comment has been disabled for this post.
Copyright © 2006 Don Park
