Microsoft Corp. has taken a drastic step to prevent Explorer from being undermined by security holes and announced plans to cut an Internet standard out of its browser.
The software giant has not disclosed when its “patch” — but more accurately described as a “limiter” — will be made available, but it has said that it will prevent people from automatically logging into a Web site using just the browser’s address line.
The announcement of an upcoming fix, rather than the release of the fix itself, points rather to the fact that another hole discovered this week (which compounded the problem) has forced the company’s hand.
The original problem has been used by con-artists to make Web users think they are visiting one site when they are in fact at another. This is done by twisting the Internet standard that allows you to sign into a Web site with a password and username using just a single address line of the form: http(s)://username:firstname.lastname@example.org.
If you replace the “username:password” portion with a Web site name like “www.itworldcanada.com” and put it as a link in an e-mail of on a Web site, it looks to the Net user as if the link leads to IT World Canada whereas in fact it leads to Website.com.
This simple ploy has been used to con people all over the world by making them think they are visiting trusted sites including PayPal and eBay Inc., among others.
However, the problem was made even worse in December when it was found that the introduction of a simple set of characters made the con even more convincing because one the link was clicked, even the browser itself displayed the false Web address. This meant that someone would have nothing but their own suspicions over whether a site was real — Explorer displayed exactly what the con-artist wanted it to.
To make matters even worse, this week another hole was revealed (although it appears to be identical to one first discovered and pointed out to Microsoft nearly three years ago) in which users could be conned into thinking they were downloading a certain file when they were downloading something completely different.
When a Web browser can’t be trusted to tell you what site you are visiting and even what you might be downloading, you really have to question whether it is viable as a Web browser at all. Microsoft swiftly recognized the huge issue at foot and so it has jumped in saying it is producing a fix before the idea of Explorer as a liability gaths mainstream momentum. This “fix” is clearly painful for Microsoft to introduce as it pulls functionality out of its browser. It is only pulling it out of Web pages (i.e. http(s)) at the moment, but it may also have to do the same for FTP sites — effectively killing any plans to make its browser practical as a Web site updater.
Microsoft was criticized for not introducing a fix for this problem in January, leading many to believe it was not fixable. Its decision to cut the whole thing out is a good demonstration that it wasn’t.
Explorer is not alone in this problem — all the other browsers have the same issue with spoofed addresses. Mozilla has also yet to find a solution. Opera throws up a warning box if it believes it may be a spoofed address.