Modernizing Authentication — What It Takes to Transform Secure Access
planned Internet Explorer (IE) modification to fix security holes in the browser could disrupt e-commerce sites that use clear text to authenticate user names and passwords.
Lead product manager in Microsoft's Windows division Greg Sullivan told internetnews.com that e-commerce Web sites that send clear text for authentication will return an "invalid syntax error" on Web pages once a user applies the IE patch.
That's because the updated browser will remove
support for handling user names and passwords in both HTTP
In advance of the patch release, Microsoft made the unusual move of releasing a knowledge base article to provide details and workarounds for application and Web site developers that still use clear text authentication.
"For a long time on our MSDN developer network, we've published articles discussing and encouraging more secure methods of user authentication. When this flaw became apparent to us in December, we decided we had to fix it and now we are communicating with Web site owners to explain what we are doing and how they can modify their sites to avoid disruption," Sullivan said in an interview.
Microsoft is specifically urging site administrators to use the "IntenetSetOption" function and include new flags to send user information to the Web site. More information on rewriting site authentication codes to avoid disruption has been posted here and here.
The company also cautioned IE users against typing HTTP or HTTPS URLs that include user information in the address bar. "If the Web site uses the basic authentication method, Internet Explorer [will]automatically prompt users for a user name and a password. In some cases, users can click the Remember my password box in the dialog box to save their credentials for later visits to that Web site."
User names and passwords in IE URLs are typically used to automatically send information to a Web site that supports the most basic authentication method and has been embedded in the browser since version 3.0. However, scammers have found a way to manipulate the URL syntax to create a hyperlink that appears to open a legitimate Web site but actually opens a deceptive (spoofed) Web site.
According to Microsoft, malicious users could also use the URL syntax together with other methods to create a link to a deceptive (spoofed) Web site that displays the URL to a legitimate Web site in the Status bar, Address bar, and Title bar of all versions of its flagship browser.
Sullivan declined to say when the oft-delayed IE patch would be released, noting that the company's software engineers were in the "home stretch" of testing the fix. The most likely scenario is for Microsoft to issue the patch in its next monthly scheduled release (second Tuesday in February).
Microsoft's confirmation of an anti-spoofing IE patch comes just one day after independent researchers warned of a new IE security flaw that could be exploited to trick users into downloading malicious files. That bug, which carries a "moderately critical" rating from tech security consulting firm Secunia, could allow malicious Web sites to spoof the file extension of downloadable files.
Sullivan could not say if the coming IE patch would include fixes for five different IE vulnerabilities that leaves users at risk of system takeover, exposure of sensitive information, cross-site scripting and security bypass.
Last November, Chinese security researcher Liu Die Yu released details of circulated proof-of-concept exploits on several mailing lists, warning that IE versions 5.0, 5.5 and 6.0 were susceptible to the vulnerabilities, which carry an "extremely critical" rating.
Stephen Toulouse, program manager at Microsoft's security response center, told internetnews.com the company was investigating Yu's claims and said a patch was under development.