Microsoft to Strike Passwords from URLs in IE
Due in large part to December's highly publicized URL spoof attacks, Microsoft intends to release a patch for Internet Explorer that will modify the way the browser handles user credentials.
According to a recent knowledge base article, support for user names and passwords will now be stricken from URLs.
This modification is based upon the findings of Demark based security firm Secunia, which on Wednesday released another advisory revealing additional spoofing vulnerabilities in IE. The latest advisory warns that a spoofing attack could potentially obfuscate the extensions of downloaded files by embedding a CLSID in the file name. Users would in turn not know the true file type of the content they are downloading.
Specifically to address issues such as these, the patch from Microsoft will disallow the format "username:[email protected]" from being used to pass credentials in HTTP and HTTPS URLs. This format allowed hackers to spoof legitimate domain names by way of specially crafted URLs intended to facilitate convincing "phishing" schemes, or even cross site scripting attacks.
User information has been handled in this syntax ever since the advent of Internet Explorer 3.0 and support is also embedded in Windows Explorer.
"This decision (to remove the behavior) has been a long time coming. Removing this feature will go a long way towards preventing IE users from being taken by phishing scams," said WhiteHat Security founder Jeremiah Grossman. As more IE users patch, phishing scammers will need to resort to other methods."
Phishing schemes are socially engineered attacked intended for the sole purpose of obtaining site passwords, credit card numbers and other personally identifiable information.
Commenting on its decision, a Microsoft spokesperson told BetaNews, "This change in functionality will improve user security because the use of this URL syntax can potentially expose the user's name and password in plain text within the URL for the displayed page. An example of the security danger is that in a cross-frame or hidden-frame scenario, script in pages from visited Web sites can easily access the URL, parse it, and determine the username and password for other sites."
Microsoft refrained from issuing its own advisory in December because of a new security disclosure policy, which aims to keep word of potential flaws from becoming public until Redmond has had a chance to investigate and produce a fix if necessary. Instead, Secunia made it findings public, much to the chagrin of Microsoft.
Since that incident, Microsoft has left open the possibility that it will distribute an "out of cycle" update, breaking from its defined monthly cycle of security patches.