Laptops Desktops Monitors & LCDs Graphics Cards Handhelds Phones Software Networks Printers More »
search
advertisement
Click Here.
AnchorDesk

Robert Vamosi
How Microsoft botched another security patch

Robert Vamosi
Senior Editor, Reviews
Monday, Feb. 9, 2004
TalkBack!Add your opinion
Last week Microsoft quietly released a patch for Internet Explorer that, among other things, fixed a flaw that allowed phishing scams to operate. Trouble is, you probably didn't know the patch came out. And, even if you did, you probably weren't aware that Microsoft also changed some basic functionality within Internet Explorer that may have prevented you from logging into familiar Web sites.

Watch out for spyware
Along with phishing scams, online con artists use spyware (apps that install on your PC without your permission) to get your personal info. You can stop spyware with an app like Spybot Search and Destroy.
ONCE AGAIN Microsoft released an important update to its widely used browser without clearly explaining the changes to developers or sufficiently announcing its existence to the general public. I expect better from the world's largest software vendor.

On Feb. 2, the software giant released the patch in question, called MS04-004, which affects users of Internet Explorer 5.01, 5.5, and 6.0--something like 90 percent of Internet users these days. MS04-004 is a cumulative update, so if you haven't updated your IE recently, this package should do the trick.

Like every other Microsoft security bulletin, get your legalese dictionary in hand before you try and read either the supposedly "dumbed-down" end-user version or the ever-evasive technical version. Neither are particularly clear.

The biggest problem fixed in this patch has been well known for many months; it allows special characters in the HTTP or HTTPS address field to mislead users into thinking they're going to one site when in reality they're heading to another. This is a trick often employed by phishers, aka e-mail scam artists: They send e-mail that looks like it's from a legitimate company, requesting personal info, but which really takes you to a fraudulent Web site that has no connection of the legitimate company.

For example, a link within a phishing e-mail might be coded as "http://www.citibank.com/legitimate.html@www.haxor.com/phishingscam.html." In your e-mail, you'd see only the first part--"http://www.citibank.com/legitimate.html"--highlighted as a link. But when you clicked on it, you'd go to "www.haxor.com/phishingscam.html." What Microsoft has done is remove the ability to link to the second part of the URL if a special character (such as an "@" sign) is used.

THE TROUBLE IS, some Web sites use special characters in URLs for legitimate purposes, such as demarking your username and password for easy login. So, for users who dutifully installed the patch, sites that use this feature won't work anymore.

One immediate casualty is the porn industry, but mainstream sites like universities and corporate reseller programs use this technology as well. For a more technical discussion of this change, you can read Microsoft's Knowledge Base article on the topic.

Though this reworking of IE required Web developers to make changes on their sites, Microsoft gave them less than one week of notice to do so. Some Web sites, frustrated by customer complaints, have already opted to reverse that part of the patch for their customers--negating any security enhancements Microsoft might have hoped for in issuing the patch. In addition, it has no doubt been frustrating for users to be inexplicably blocked from sites they've accessed frequently before. Would it have been so hard for Microsoft to give developers and the public more notice about this patch?

But I guess the more practical question is: Should you install the latest IE patch? Yes. MS04-004 is cumulative, so the additional security benefits probably outweigh the glitches for most people. Will MS04-004 end phishing scams? No. Not everyone will download and install this patch, so phishers will still have many victims from whom to con personal information.

And will this be the last time Microsoft abruptly changes functionality in the name of security? Probably not. According to one Microsoft security response team member, "Our customers have said, 'We want security,' and so that is the change that we gave them." I take that to mean, unfortunately, that we can expect this sort of scenario to play out again in the near future. If only Microsoft would take a little extra effort to communicate, it would save developers and end users many headaches.

What do you think? Should Microsoft make a bigger deal about its security patches? TalkBack to me below!

Previous Story   

Special sponsor stores
advertisement
Click Here