Small Business
SHARE
Facebook X Pinterest WhatsApp

IE Patch Could Disrupt E-Commerce

Written By
thumbnail
Ryan Naraine
Ryan Naraine
Jan 30, 2004

Microsoft’s planned Internet Explorer (IE) modification to fix security holes in the browser could disrupt e-commerce sites that use clear text to authenticate user names and passwords.

Lead product manager in Microsoft’s Windows division Greg Sullivan told internetnews.com that e-commerce Web sites that send clear text for authentication will return an “invalid syntax error” on Web pages once a user applies the IE patch.

That’s because the updated browser will remove
support for handling user names and passwords in both HTTP and HTTPS URLs. The withdrawn support for clear text authentication effectively provides a workaround for the URL-spoofing flaws that are commonly used by scammers to mask fake sites and trick users into giving up sensitive information including credit card and social security numbers.

In advance of the patch release, Microsoft made the unusual move of releasing a knowledge base article to provide details and workarounds for application and Web site developers that still use clear text authentication.

“For a long time on our MSDN developer network, we’ve published articles discussing and encouraging more secure methods of user authentication. When this flaw became apparent to us in December, we decided we had to fix it and now we are communicating with Web site owners to explain what we are doing and how they can modify their sites to avoid disruption,” Sullivan said in an interview.

Microsoft is specifically urging site administrators to use the “IntenetSetOption” function and include new flags to send user information to the Web site. More information on rewriting site authentication codes to
avoid disruption has been posted here and here.

For Web site operators that include HTTP or HTTPS URLs with user information in scripting code, Microsoft is also urging that the code be changed to use cookies instead of user information.

The company also cautioned IE users against typing HTTP or HTTPS URLs that include user information in the address bar. “If the Web site uses the basic authentication method, Internet Explorer [will]automatically prompt users for a user name and a password. In some cases, users can click the Remember my password box in the dialog box to save their credentials for
later visits to that Web site.”

User names and passwords in IE URLs are typically used to automatically send information to a Web site that supports the most basic authentication method and has been embedded in the browser since version 3.0. However, scammers have found a way to manipulate the URL syntax to create a hyperlink that appears to open a legitimate Web site but actually opens a deceptive
(spoofed) Web site.

According to Microsoft, malicious users could also use the URL syntax together with other methods to create a link to a deceptive (spoofed) Web site that displays the URL to a legitimate Web site in the Status bar, Address bar, and Title bar of all versions of its flagship browser.

Sullivan declined to say when the oft-delayed IE patch would be released, noting that the company’s software engineers were in the “home stretch” of testing the fix. The most likely scenario is for Microsoft to issue the
patch in its next monthly scheduled release (second Tuesday in February).

Microsoft’s confirmation of an anti-spoofing IE patch comes just one day after independent researchers warned of a new IE security flaw that could be exploited to trick users into downloading malicious files. That bug, which carries a “moderately critical” rating from tech security consulting firm Secunia, could allow malicious Web sites to spoof the file extension of downloadable files.

Sullivan could not say if the coming IE patch would include fixes for five different IE vulnerabilities that leaves users at risk of system takeover, exposure of sensitive information, cross-site scripting and
security bypass.

Last November, Chinese security researcher Liu Die Yu released details
of circulated proof-of-concept exploits on several mailing lists, warning
that IE versions 5.0, 5.5 and 6.0 were susceptible to the vulnerabilities,
which carry an “extremely critical” rating.

Stephen Toulouse, program manager at Microsoft’s security response
center, told internetnews.com the company was investigating Yu’s
claims and said a patch was under development.

thumbnail
Ryan Naraine

Recommended for you...

thumbnail
Best Internet Security Software
Security
Best Internet Security Software
Devin Partida
Mar 23, 2022
thumbnail
12 Business Funding Challenges + How To Overcome Them
Small Business
12 Business Funding Challenges + How To Overcome Them
InternetNews Staff
May 18, 2021
thumbnail
How IT Investments Are Changing For Small Business
Small Business
How IT Investments Are Changing For Small Business
InternetNews Staff
Dec 11, 2020
Small Business
How To Choose Managed Services (MSPs) For Small Businesses
Guest Author
Nov 5, 2020
Internet News Logo

InternetNews is a source of industry news and intelligence for IT professionals from all branches of the technology world. InternetNews focuses on helping professionals grow their knowledge base and authority in their field with the top news and trends in Software, IT Management, Networking & Communications, and Small Business.

facebook
x

Company

Contact us Advertise with us

Categories

News Enterprise Small Business Reviews Podcasts Blog Research

Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information