Forgot your password?
typodupeerror
Internet Explorer The Internet It's funny.  Laugh. Security

Microsoft Advises to Type in URLs Rather than Click 984

Posted by CowboyNeal
from the tedious-surfing dept.
spacehug writes "In a recent Microsoft Knowledge Base article, they provide 'Steps that you can take to help identify and to help protect yourself from deceptive (spoofed) Web sites and malicious hyperlinks.' These steps include always using SSL/TLS, typing 'JScript commands' in the address bar, and typing in URLs instead of clicking links! I have a suggestion that's not in the Knowledge Base: don't use IE!"
This discussion has been archived. No new comments can be posted.

Microsoft Advises to Type in URLs Rather than Click

Comments Filter:
  • i knew it (Score:5, Funny)

    by jester42 (623276) * on Friday January 30, 2004 @06:04AM (#8133062)
    i always knew that those hyperlinks were a bad security problem. Web designer should really avoid those propietary 'href'-tags for security reasons.
    • by beda (158888) on Friday January 30, 2004 @06:24AM (#8133160)
      You are right, gurus use 'a'-tag instead, with 'href' as an attribute.
      • Re:i knew it (Score:5, Interesting)

        by sepluv (641107) <blakesleyNO@SPAMgmail.com> on Friday January 30, 2004 @07:43AM (#8133445)
        Not in XHTML 2.0 -- it looks like the anchor (a) element is probably going to be deprecated now one can use href on any element (as I have said it should be for a while, because there is nothing semantically special about link text in comparison to other text).

        IMO, as XHTML 2.0 is meant to be non-backwards-compatible, they should use the a element for the functionality of the acronym and abbr elements.

        • Re:i knew it (Score:3, Insightful)

          by brokenvoice (595329)
          Nothing semantically special about link text? Doesn't that fact that it is acting as the anchor of the link make it semantically significant? Or are you thinking in wholy human-readable terms?
        • Re:i knew it (Score:4, Informative)

          by Trejkaz (615352) on Friday January 30, 2004 @08:02AM (#8133506) Homepage
          Ah, but XHTML 2 is in the same namespace as XHTML 1, which means people might assume 'a' is anchor anyway. That's even why they made 'q' into 'quote', because the display semantics of 'q' were different ('q' is supposed to have quotes automatically supplied, whereas 'quote' isn't.)
        • XHTML = DOA (Score:5, Insightful)

          by mccrew (62494) on Friday January 30, 2004 @01:41PM (#8136425)
          Now I'll be the first to say that XHTML is a good thing and all that HTML should have been, but unfortunately the horse has already left the barn, and so designing a more secure barn door lock is mostly an academic exercise. Clients are written to deliberately be tolerant of HTML, and to degrade gracefully in the face of malformed, broken, or just-plain-wrong HTML elements. There is just too much valuable information in HTML 3.2 out there that nobody will accept a client that is hard-core XHTML only, and so if XHTML clients have to be backwards compabible to be used, what's the motivation to go to the pains of converting to XHTML? I don't see it.

          Any solution that relies upon millions of people changing their behavior is dead on arrival.

    • by zoney_ie (740061) on Friday January 30, 2004 @06:35AM (#8133210)
      How on EARTH did someone write this KB article without cracking up. Are they for real or what?

      I mean, either you continue as usual and get screwed should you hit a malicious link, or use a different browser. Who in their right minds would ACTUALLY follow the steps here. "Hmmm, this link looks suspicious... I'd better manually enter the address". Or copy a piece of JScript code for a more verbose description of the link...

      Yeah, right. I can't get over this article - it's nearly like a spoof or something.

      I've never had problems with Mozilla Firebird - ever. And it's not even v1.0 yet! I've been using it since November last, every day nearly, at work and home.
      • by danamania (540950) on Friday January 30, 2004 @07:08AM (#8133322)
        To go back to an often used analogy, if Microsoft were a car company and their vehicles happened to exhibit a problem with the engines catching on fire (as happens, sometimes, with real car manufacturers) other makers would recall and fix the problem.

        Not microsoft!

        They're innovative. They'd send a helpful sheet out to owners:

        -----------------
        Things you can do to protect yourself from an engine fire:

        The most effective step you can take to protect yourself from an engine fire caused by the known defect, is pushing your car manually. By pushing your car manually, you can avoid creating the temperatures required to initiate combustion. This will keep your car safe. Also, you can save fuel and contribute to a cleaner environment.
        ----------------- :P
      • by LittleGuy (267282) on Friday January 30, 2004 @08:23AM (#8133586)
        How on EARTH did someone write this KB article without cracking up. Are they for real or what?

        We'll find out next fall on an all-new FOX Reality Miniseries: "The Simple Life: Redmond".

        (What? Didn't you notice that the KB is suppose to Microsoft Internet Explorer 6.0 SP1, when used with Anal Wiener Buggers?)

      • by m4rcL (724192) on Friday January 30, 2004 @08:34AM (#8133652) Homepage
        It shows beyond a shadow of a doubt how stumped Microsoft are. They must've sat for hours thinking of how to solve their problem and simply could not come up with an answer. Their software model cannot cope with this sort of thing so their only advice is to avoid using the internet properly. It's something we've all known all along. Open source works better.
      • by justforaday (560408) on Friday January 30, 2004 @08:57AM (#8133737)
        Who in their right minds would ACTUALLY follow the steps here?

        i totally agree with you about the absurdity of the whole situation. however, i will admit that i know someone who will follow these instructions to a tee. my roommate refuses to listen to anyone when they recommend using an alternate browser [firebird, mozilla, and opera have all been suggested numerous times by numerous people]. instead i get to sit there and laugh at him while he bitches about popups, security holes, and having to copy/paste links into notepad to make sure they really go somewhere he wants to go. i truly get the feel that some people purposefully put themselves through pain to try to make a point. what that point is, however, is totally lost on me...
        • by Duckman5 (665208) on Friday January 30, 2004 @10:20AM (#8134302)
          If you're roommate is that unwilling to change browsers when other people suggest, perhaps he's be willing to upgrade when "Microsoft" [wired.net.nz] tells him to.
          I've sent that page to a few people now, and the responses are pretty amusing. It redirects IE users to a spoofed MS Update page for Internet Explorer that offers Mozilla for download as the "update" for IE.
      • by scrytch (9198) <chuck@myrealbox.com> on Friday January 30, 2004 @11:02AM (#8134706)
        How on EARTH did someone write this KB article without cracking up. Are they for real or what?

        This one will crack you up even more: Don't use the word "begin" -- use "start" or "commence" instead [microsoft.com]. That's right, the parser doesn't need fixing, the English language does.

        It's frightfully for real. How's MS's level of support looking now?
    • by TrollBridge (550878) on Friday January 30, 2004 @07:42AM (#8133439) Homepage Journal
      Goatse trolls on Slashdot taught me not to click hyperlinks LONG before they became a security issue!
  • Hah! (Score:5, Funny)

    by DarkHelmet (120004) * <mark@seventhcBAL ... net minus author> on Friday January 30, 2004 @06:05AM (#8133068) Homepage

    I have a suggestion that's not in the Knowledge Base: don't use IE!

    Yeah, and I have a solution to prevent malicious programs like IE from running that's not in the Knowledge Base...

    Install Linux.

    I hear you can buy a copy of it for around $600 somewhere [sco.com].

    • by trezor (555230) on Friday January 30, 2004 @09:41AM (#8133983) Homepage

      I know this really isn't a popular opinion around here, but still, it needs to be said.

      While it's true Windows isn't really the state of the art platform when it comes to security, it beat's Linux when it comes to a few key issues. Like hardware support.

      Yes. I know. Hardware support in Linux isn't that bad, but still you encounter hardware you simply cannot get working under Linux. This isn't exactly a flaw in Linux, but for all hardware that is developed, you can swear the vendor will release Windows-drivers that makes hardware support a non-issue.

      And as far as voting with your wallet goes, you really never can tell it's an issue before you try it. This goes for my MP3-player (Creative). I couldn't get it working under any Linux or *BSD platform.

      Back to the issue. Running Windows securely really only requires you to configure the system properly. Like disabling all unnecassery services (Universal PnP, Remote assistance, remote registry and so on...), and using none-Microsoft products. Like Mozilla or Opera for web-browsing.

      As much as we all love to hate Windows, it can be configured to operate decently. But in the name of "user-friendlyness" it configured to be insecure by default.

      And there goes my karma.

      • by bilbobuggins (535860) <`moc.tnujtnuj' `ta' `snigguboblib'> on Friday January 30, 2004 @12:01PM (#8135277)
        Back to the issue. Running Windows securely really only requires you to configure the system properly. Like disabling all unnecassery services (Universal PnP, Remote assistance, remote registry and so on...), and using none-Microsoft products. Like Mozilla or Opera for web-browsing.

        why don't people see that this is a MAJOR FLAW with the OS?
        the majority of home PC users are not slashdot geeks and simply don't have the time, and shouldn't have to worry about this sort of stuff.
        the whole founding principle of a home PC is that joe somebody is empowered to pursue his lifelong dream of starting a small business and can focus on producing/selling/etc. without having to be a mainframe technician on top of it. at what point does the amount of required fixes/patches/workarounds make a device cease being a tool and become a liability instead?

        sally middle-school teacher should be able to check her email without 5 service packs.
        bill janitor should be able to boot up a computer and check a sports score without being decieved by a major browser flaw into installing 16 trojans and zombie-fying his machine.

        the folks at redmond have forgotten so utterly and completely that the original idea of a computer was to help people that it's mind boggling.

        one of the most satisfying things in software dev can be watching someones day become markedly easier b/c of something you worked on.
        microsoft has become the antithesis of that.

  • by Snosty (210966) on Friday January 30, 2004 @06:07AM (#8133080) Homepage
    I say go one step further for ultimate security and telnet to port 80.
  • by CaptainAlbert (162776) on Friday January 30, 2004 @06:07AM (#8133081) Homepage
    Why risk using the Web at all? Just e-mail the webmaster and ask him to fax the webpages to you [userfriendly.org]!
  • How About.. (Score:5, Insightful)

    by thesupraman (179040) on Friday January 30, 2004 @06:09AM (#8133086)
    They turn off all the 'automate EVERYTHING' approaches microsoft seem to think are a good idea, then it will become safe again to actually click on the links?

    Really. perhaps a few more people should install pegasus email under windows, and download mozilla firebird - the world would really be a slightly better place!

    Or is that just too obvious?

    PS: What on EARTH is up with IE's css support? is it intentionally designed to be completely broken?

    Sigh.
    • Re:How About.. (Score:5, Interesting)

      by golgotha007 (62687) on Friday January 30, 2004 @06:30AM (#8133192)
      What on EARTH is up with IE's css support? is it intentionally designed to be completely broken?

      damn, no kidding.

      i design web sites for a living. there's nothing worse than getting a web site looking just the way you want, then running a W3C CSS and HTML validator and having everything check out 100 percent. ...then to check the site with IE. holy crap, my PNG files aren't transparent anymore? what are all these extra spaces all over the place? why does the site now look so shitty?
    • > They turn off all the 'automate EVERYTHING' approaches microsoft seem to think are a good idea, then it will become safe again to actually click on the links?

      But if they turn off 'automate EVERYTHING' then Windows will become susceptible to the Linux "forward this message to a friend and then delete all your files" virus.

      But yeah, "type in the links" is the ultimate irony from the company whose fixation on faux "ease of use" has wrecked the internet with a crapflood of viral e-mail.

    • Almost (Score:5, Insightful)

      by trezor (555230) on Friday January 30, 2004 @09:10AM (#8133796) Homepage
      • PS: What on EARTH is up with IE's css support? is it intentionally designed to be completely broken?

      I know this is offtopic flamebait, but hell it's so likely to be true...

      I believe Microsoft intentionally has a slightly broken CSS, so that everything that looks good in IE will look crappy in any standard-compliant browser.

      C'mon, it's not that crazy! We all know which mother has the marketshare's here.

      It's not like most people even know there are standard's anyway. "People" use FrontPage, or even worse, Word to make webpages these days, remember?

      So yes, I believe IEs CSS-support (or the CSS-support in any Microsoft product) to be intentionally broken. To gain marketshare. And that's paranoid me.

      Btw, my W3C-validated, visually confirmed (opera, mozilla) good webpages look like shit in IE. And, no I don't bother to make IE-CSS.

  • by VEGx (576738) on Friday January 30, 2004 @06:09AM (#8133090)
    In other news M$ advices all online banking users to walk in to their nearest bank office to secure their online banking...
  • uhh? (Score:4, Funny)

    by aarku (151823) on Friday January 30, 2004 @06:10AM (#8133092) Journal
    Is it just me or does the title of the article read:

    Eight-hundred-thirty-three-thousand-seven-hundred- eighty-six Steps that you can take to help identify and to help protect yourself from deceptive (spoofed) Web sites and malicious hyperlinks

  • CLIE? (Score:5, Funny)

    by mattjb0010 (724744) on Friday January 30, 2004 @06:10AM (#8133098) Homepage
    Microsoft Advises to Type in URLs Rather than Click

    So now MS is promoting a return to command line interfaces?
  • I use Firebird. (Score:3, Interesting)

    by Noryungi (70322) on Friday January 30, 2004 @06:12AM (#8133106) Homepage Journal
    90% of my surfing is done with Firebird, either under Windows or Linux. It's fast (on a Pentium IV @ 2.0 GHz), complete and full-featured.

    9% is done with Opera 7.23. Mostly at home, since it's still small and light enough for my poor little Pentium machine.

    Less than 1% is done with IE, mostly with horribly broken site that only accept it, and I am actively searching for replacement

    FWIW, I never use MS Outlook or Outlook Express either. Earlier this week, when MyDoom struck our email servers, a couple of coworkers were infected. I was not.

    The moral of the story is that you can't trust Microsoft products.
  • Although this article on the insecurities of IE (or in a more general sense, Windows' URL handling) is fitting for ./, the advice to type URL into the address bar may be one that we should all take to heart in the future.

    As pointed out here [technion.ac.il], the advent of multilingual (Unicode) domain names gives rise to a new possibility for attacks: the Homograph attack.

    Example: one could replace the o's in http://www.microsoft.com [microsoft.com] with Greek omicrons, Cyrillic o's or characters from other charsets, as long as they are rendered by our browser as something resembling an "o". The users won't notice the difference, but they might be redirected to another site, even though they visually inspected the URL.

    A more serious example: my bank, the Dutch Rabobank [rabobank.nl], features internet banking. It specifically displays a warning before logging in: Make sure that the address in the address bar starts with https://www.rabobank.nl/, then you are sure you're communicating with us. Now, with a homograph attack, even that might not be certain again: it looks the same, and users are reassured even though reassurance is not due! And it's not limited to using IE or Windows either.

    A comment is in order here: we're not that far yet, as most clients require special (non-default) DNS clients to access Unicode domain names. But it might become a big problem in the future.

    Are there any people from countries using non-latin domain names that might want to comment on this?

    • by linuxci (3530) on Friday January 30, 2004 @06:23AM (#8133155)
      There's no excuse to have to go to reduiculous means to prevent spoofing, and manually typing in URL's is excessive, in fact I'd say the vast majority of people in here that use IE at home out of choice are doing it because they're too lazy to try alternatives (I can't think of any other reason why they'd prefer IE) so they're not gonna type URL's manually either - and the non tech literate public won't even know to do this.


      So it's upto the browser makers to take action if this is really a security risk.


      The simplest solution to me would be to not allow multiple charsets to be displayed in the URL bar making this not possible.

      • I fully agree with you that it should not be necessary. However, I assume that you are from a country using a latin charset (being Dutch, I am). However, even though we as "westerners" might still be in the majority (are we still?), this might not always be like this.

        For example: the number of Chinese internet users [technewsworld.com] went from roughly 600 thousand to 80 million in the timespan 1997-2003. So there will be lots more. And that's only China. I can only imagine that these people want domains in their own charset (at least we have lots of domain names in Dutch here in Holland, but of course we have the advantage of using a Latin charset).

        In that case, a general "block" on multilingual domains in the address bar won't work.

      • ``The simplest solution to me would be to not allow multiple charsets to be displayed in the URL bar making this not possible.''

        The whole point of Unicode is that it _is_ one charset for everything. I personally think that Unicode, especially UTF-8, is an even better invention than sliced cheese, and should be used anywhere and everywhere.

        True, this is not going to stop attacks involving spoofed URLs, but trusting URLs is bad from a security viewpoint anyway. What to think of misdirecting surfers with mal
    • by MonTemplar (174120) * <slashdot@alanralph.co.uk> on Friday January 30, 2004 @06:26AM (#8133172) Homepage Journal
      You don't even need to go digging for Unicode characters to pull off tricks like that. As demonstrated on Slashdot itself! Some examples: Anonvmous Coward (y replaced by v), MonTemp1ar (l replaced by 1 (one)). At least with /. usernames you have the UID that can be checked against to confirm the person's identity. No such luck if you apply the same trick to URLs - how many people are going to spot the difference?

      -MT.
    • by Craig Ringer (302899) on Friday January 30, 2004 @06:55AM (#8133286) Homepage Journal
      Just imagine going to:

      https://&#1010;&#1086;mm&#1086;nwealthbank.com.a u/

      (may not display properly - whatever, you get the picture)

      and getting a perfectly valid ssl session. With entirely the wrong people - but the user would only notice if they looked at the cert.

      Of course, you'd have to find a cert registrar dumb or unethical enough to give you a cert for the domain, but with people like Verisign around that can't be hard.
    • Use colors (Score:4, Interesting)

      by spitzak (4019) on Friday January 30, 2004 @07:30AM (#8133390) Homepage
      Possible fixes:

      1. Display something for EVERY byte in the URL! (this is Microsoft's main problem). The only character that could plausably display as a blank area is the byte with the value 32, and even that could show an underscore or something. If "%0102" is in the url, show the characters '%', "0', etc. And obviously the text "%00" in the url should not cause the rest to disappear. In case you think only Microsoft is stupid, Unix software often displays '\n' characters as breaks making multiple lines, in Mac's Safari this makes those spoof URL's display almost as badly as IE.

      2. Display all non-ascii characters in a different color. Please ignore the probably loud Politically Correct crowd that will say you are demonstrating anglo-centric bias, those same people kept UTF-8 from being adopted for over 12 years (since it is obviously a bias to have westerners have the shorter characters) and actually hurt i18n far more than the most ignorant midwestern Cobol programmer did.

      3. Display as much of the URL that corresponds to a site you have visited before in a different color. Ie similar to showing a visited link a different color in the page, show the preview of the URL with the hostname and leading directory levels colored that match some URL you visited before. Then, assumming you visited your bank once, the fake bank address will be noticable by not being colored.
  • What about .... (Score:4, Insightful)

    by sdukaric (640170) <sinisa&sinisa,org> on Friday January 30, 2004 @06:15AM (#8133123) Homepage Journal
    Let's say M$ user types in URL but on that URL is redirection to faulty URL? The thing is, they can do nothing about it. And nowadays some regular URL has like 30+ characters with all those PHP-Nuke/Puke portal engines and horror CMS engines. SO, M$ crew, create a real browser and stop dragging us/them to a stone age...
  • by quantaman (517394) on Friday January 30, 2004 @06:18AM (#8133132)
    http://support.microsoft.com/default.aspx?scid=kb; %5Bln%5D;833786

    Need I say more?
  • Don't use IE (Score:4, Informative)

    by 91degrees (207121) on Friday January 30, 2004 @06:19AM (#8133136) Journal
    I try to convince other people of this. Firebird conatains a popup blocker, supports tabbed browsing, is more secure, and has a gestures plugin.

    The other people just don't. It's not like they don't know how. These are proper techies. they just make up daft excuses like not trustin free software.

    Maybe trust is importatn. You can trust IE after all. You can trust it to be insecure.
  • by krappie (172561) on Friday January 30, 2004 @06:24AM (#8133161)
    It hasnt made it on slashdot yet, but netcraft is reporting [netcraft.com] that future versions of IE will no longer be supporting user information in HTTP or HTTPS URLs.

    For more information, please see microsoft's advisory [microsoft.com]. Thats right, type in the URL yourself, it really is at microsoft.com. From now on, any HTTP or HTTPS URL that has an @ sign in it will report "Invalid syntax error".

    After months and still no patch for this bug.. they just now announced THIS as their fix, but still no patches. You'd think they'd just prevent parts of their URL bar from disappearing instead of removing features..

    Workarounds for this new behavior are listed as:
    * Do not include user information in HTTP or HTTPS URLs.
    * Instruct users not to include their user information when they type HTTP or HTTPS URLs.

    How ingenious. I also find it interesting that they link to the standards they are now breaking under "references".
  • This is great ... (Score:3, Insightful)

    by boris_the_hacker (125310) on Friday January 30, 2004 @06:25AM (#8133167) Homepage
    ... and even though I dont use Windows this is a nice step towards better security.

    My main issue is this, the knowledge base is huge - there are thousands of articles, therefore although the article is there how many *normal* people actually read it ? The people that need the information the most are those that are less computer literate and the same people that would rather be playing flash games than reading a document on a "geeky computer" website.

    It is same with the "oh they should use another browser", at the end of the day they dont really care until they get bitten - and even then they will make the same mistakes again. I personally think that the software update mechanism (where the window pops up if there are updates) is great under OS X. You would have to be really retarded to ignore it.

    Maybe Windows and Linux could do with something like this ? I know debian has it's security feed (which I use), but it'd be useful if it alerted me that there were updates. I also remember there being a update manager but maybe it shouldn't allow you to not install the security updates. (Please forgive my lack of knowledge of the recent windows situations WRT updates- I rarely use it so please dont flame back but I would be genuinely interested to know - for the sake of my parents computers)

    Anyway, end of post.
  • by 2bot_or_not_2bot (634313) on Friday January 30, 2004 @06:25AM (#8133168)
    (1) Checkbox to disable "kiosk mode" from EVER happening! (2) Checkbox to disable pop-up windows (or prompt user per pop-up) as opposed to disabling Javascript altogether. (3) Outlook-specific settings for HTML preview so that most features can be turned off for e-mail preview; stop spam from essentially calling home via preview, or playing virus MP3, etc. For example, by default forbid all HTML-formatted e-mail from accessing the Internet and running scripts -- just totally passive HTML. The user, at his or her discretion, can right-click on the body of an e-mail to select further previewing rights for trusted mail. (4) Checkbox to reject URLs that use unicode characters -- just an option; (5) Checkbox to forbid wacky URLs with "obvious" redirection tricks; (6) Option to set the "maximum number of browser windows to open per second". One can set this to a rate slower than one's ALT-F4 pressing rate, to win the battle against run-away pop-ups.
  • by The Fink (300855) <slashdot@diffidence.org> on Friday January 30, 2004 @06:29AM (#8133188) Homepage
    It's part of our IT department's standard operating environment to have MSIE as the only browser on Windows platforms. It's also part of their policy to prevent additional programs -- specifically including web browsers of any kind -- from being installed, and the penalty for doing so is not something I really feel like finding out. People have been fired for repeat violations.

    Their reasoning? Security. Judging by the number of times in the past two months they've had overtime to do, and the amount of times they have to send out emails-which-get-deleted-without-further-reading on what not to do with a web browser, I suspect it's the security of their jobs they're trying to protect, but anyway...

    So, instead, I sit and shake my head with wonder at all the people, particularly from the Management stream -- although I've seen for myself that engineers aren't immune -- who blindly click links without checking their content, who don't check for SSL, and so on and so forth. And, in two cases, get swindled out of cash because they believed an email supposedly from their bank [anz.com]...

    ObRant: Why conceal this kind of knowledgebase article? Microsoft should have it in forty-foot-high letters of fire on their front page. No, more than that; it should be in every freaking news syndication everywhere for every single windows user to see and read, repeatedly, until they get the hint.

    Then, and only then, can we honestly say that those who still don't do the "right" thing deserve it.

  • by This is outrageous! (745631) on Friday January 30, 2004 @06:33AM (#8133202)
    "Protect yourself from clicking links by disconnecting the mouse!"

    "Protect yourself from email worms by walking to the post office!"

    "Protect yourself from p2p worms by buying your music on 8-track tape!"

    "Protect yourself from joe-jobs by not using your hotmail address!"

    "Protect yourself from internet credit card theft by using dollar bills exclusively!"

    "Protect yourself from e-banking snoopers by keeping your savings under the mattress!"

    "Protect yourself from spam by disconnecting the internet!"

    "For Christ's sake, protect yourself from illegal operations by turning off your computer NOW!

    (Oops, this one's not new.)

  • Use mozilla (Score:5, Funny)

    by mobby_6kl (668092) on Friday January 30, 2004 @06:38AM (#8133221)
    Can I have my karma now?
  • by BigRedFish (676427) on Friday January 30, 2004 @06:47AM (#8133256)

    I'm laughing so hard I can't type. Hang on... OK. This MS article is so wrong I don't even know where to begin... How about here:

    The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself.

    Is MS going to issue a patch to disable hyperlinks then? If you can't click hyperlinks, doesn't IE cease to meet the definition of a browser? Look at the bright side, finally Netscape has closure.

    Now, from the "but it's so easy to use" department:

    Make sure that the Web site uses Secure Sockets Layer/Transport Layer Security (SSL/TLS) and check the name of the server before you type any sensitive information. [....] By checking the name on the digital certificate user for SSL/TLS, you can verify the name of the server that provides the page that you are viewing. [...] double-click the lock icon, and then check the name that appears next to Issued to. If the Web site does not use SSL/TLS, do not send any personal or sensitive information to the site. If the name that appears next to Issued to is different from the name of the site that you thought provides the page that you are viewing, close the browser to leave the site.

    Huh? Does anyone expect Joe Luser to understand that? Checking the certificate against the stated URL and the IP address supplied by a DNS lookup of that URL seems rather straightforward. Someday, someone ought to invent a machine to do things like that. We could call it a computer. A computer might also be able to display the actual site name an nothing else, rather than allowing it to be spoofed in any way, eliminating the need for such manual babysitting.

    From the "but it's so easy to use" department, take two:

    In the Address bar, type the following command, and then press ENTER:
    javascript:alert("Actual URL address: " + location.protocol + "//" + location.hostname + "/");

    I see. We just proved this week that a huge segment of the Windows user base still hasn't learned about attachments. But grandma, who wants to look at the pictures of her grandchildren, is expected to be a Java programmer. There must be some incredible acid floating around Redmond. A complete break from reality, this is.

  • by deadmonk (568008) on Friday January 30, 2004 @07:04AM (#8133311) Homepage Journal
    The same MS advisory page recommends (way down at the bottom for those that don't bother to RTFA):
    Read E-mail Messages in Plain Text.
    ...
    By reading e-mail in plain text, you can see the full URL of any hyperlink and examine the address that Internet Explorer will use. The following are some of the characters that may appear in a URL that could lead to a spoofed Web site:

    * %00
    * %01
    * @

    Gee, ya think that HTML email is a bad idea..? I wonder how many people even realize that this "IE advisory" applies to Outlook and their email as well?

    Nice way to bury that one, guys..
  • by CubicZirconia (555781) on Friday January 30, 2004 @07:30AM (#8133392)
    So what's next then? ....Write your emails in outlook, then print them and mail them in an envelope, all the benefits of outlook with the added security of Physical Delivery (tm)*(new improved feature, Microsoft patent pending).
  • No bugfix? (Score:3, Funny)

    by Zog The Undeniable (632031) on Friday January 30, 2004 @07:49AM (#8133471)
    So they're not going to fix the spoofed URL bug [theregister.co.uk] then? Well, I guess a KB page is cheaper than paying developers to figure it out!
  • by CFBMoo1 (157453) on Friday January 30, 2004 @08:15AM (#8133561) Homepage
    and typing in URLs instead of clicking links!

    Microsoft Coperation today advised users to upgrade their current Internet Explorer web browsers to Carrier Pigeon 1.0. This newly released software package transferes HTML documents safely and securly over the friendly skies.

    NOTE: Microsoft is not responsible for packet loss during hunting season, unless it's wabbit season but definatly not duck season!

    I know I should probebly read the advisory, but I use mozilla. So how would it help?

  • ulitmate defeat (Score:5, Interesting)

    by init-five (745157) on Friday January 30, 2004 @09:19AM (#8133850)
    To ask the user not to click on bad URL's is to admit:

    1) we (Microsoft) know what a bad url is
    2) we (Microsoft) assume that you may know what a bad url is
    3) but for the life of us, we (Microsoft) just can't tell IE what a bad URL is
    4) we (Microsoft) give up trying to teach IE what a bad URL is
    5) hence we (Microsoft) ask you to please take care and avoid bad URL links
  • by SharpFang (651121) on Friday January 30, 2004 @09:21AM (#8133860) Homepage Journal

    The bug is not allowing URLs style:
    http://fake.host.as.username@the.real.evil .host/
    This is perfectly legal and most people will spot it! (well, at least I do.)
    The bug is:
    http://fake.host.as.username[somespecialchar] @the. real.evil.host/
    where the special character prevents IE from displaying anything after it.
    This is NOT the case in other browsers, this is a serious vulnerablity (because no matter how hard you look at the URL bar in IE, you won't see the URL is fake) and this is THE way crackers and spammers exploit the bug!
  • by shic (309152) on Friday January 30, 2004 @10:08AM (#8134202)
    While risking a lampooning from the Slashdot crowd - I use both IE and Outlook - though I have to admit that as a result of this story I've been tempted to try Firebird again. To be honest, it has improved greatly and I'm now giving it another shot.

    Outlook is less easy to replace... I've a target platform of XP, and need to interact with an exchange server. While I hate the clunky configuration, gaping security flaws and slow bloated memory-hogging Outlook, I have to admit that I find Word a very effective productivity tool when writing prose - even though it is a sledgehammer to crack a nut. I only want to send ASCII mail, but I want real-time spelling and grammar checking. When will open source catch up on this front?

  • by Anonymous Coward on Friday January 30, 2004 @12:03PM (#8135300)
    My hands cramped up about halfway through typing http://support.microsoft.com/default.aspx?scid=kb; %5Bln%5D;833786 . :)
  • by greymond (539980) on Friday January 30, 2004 @01:13PM (#8136062) Homepage Journal
    "I have a suggestion that's not in the Knowledge Base: don't use IE!"

    If your the type of person who misstypes www.paypl.com(www.paypal.com) and end up going to a scam site, using Konqueror, Opera, Safari, whatever isn't going to help you not get scammed.

    Thats why it's important for those who make those types of mistakes to pay attention to the url, and not what the page looks like. And if your complaining about not having popup blocking well, most AV (Norton, McAffee) programs now include popupblocking. And if the person doesn't have a AV then they probably the person who also doesn't pay attention to their url's and is also the person who needs to learn about these things.

    I know you want to be "1337" and all but pick a better example or reason to flame a product thats obviously more used than your favorite browser.
  • Who has control? (Score:4, Insightful)

    by danila (69889) on Friday January 30, 2004 @04:47PM (#8138440) Homepage
    The biggest problem with browsers and other web-technologies is that they give more control to designers and webmasters, not to the users. Java, ActiveX, Flash, Javascript, CSS, etc. all allow designers and webmasters to determine more precisely what should happen on the user's end. Completely wrong and inacceptable, yet this is exactly what is happening.

    It is entirely possible to design a page that would open in an IE window without toolbars, scrollbars and statusbar. Then it is entirely possible to add interactive graphical elements to the sides that would behave exactly like real IE interface elements, only they would be fake. This is wrong. The standards should give limited control to providers of information, while browsers give ultimate control to the users. It is completely wrong that standards allow javascript to intercept mouseclicks and block rightclick menu. It doesn't affect me because I use Opera, which doesn't give a shit about that, but when I click the wheel (button 3), I see that stupid message window that informs me I shouldn't right click on that site. This isn't more than an annoyance, since scrolling still works and rightclicking is not affected at all, but this should never happen in the first place.

    Unicode addresses are wrong as well. They are an annoyance to the users. Have you ever seen a user (a visitor, the one who browses the web) request ability to use Unicode in URLs? I've never heard about that. It's some webmasters, who decided they want this stupid-stupid-stupid trick to work (and greedy registrars and their marketdroids) and broke a perfectly good addressing mechanism (I am Russian, but I never ever wanted Cyrillic URLs, even though now they are apparently supported).

What this country needs is a good five dollar plasma weapon.

Working...