Microsoft finally issues IE spoofing bug patch

Microsoft will release a software update to Internet Explorer and Windows Explorer designed to protect web surfers from being lured to websites that might contain malicious code.

The announcement follows several IE-related security warnings issued by Danish security company Secunia. In December, Secunia alerted the security community to an IE bug that would let hackers display false web addresses. And on Wednesday, the company posted details of an alleged flaw that could let web surfers be tricked into downloading malicious files from counterfeit sites reached via such fake addresses.

The newly announced patch will disable a feature that lets people code a username and password directly into a link so that someone clicking the link can easily access the restricted page to which it points. Links coded in this way are not commonly used on the internet, but some web developers have built the functionality into certain HTTP sites hosted on corporate intranets to give specific users convenient access to information.

The problem with the feature is that the username/password piece of the URL code is not used to locate the web page. Attackers can therefore disguise that portion of the URL and trick surfers into thinking that they're going somewhere they're not.

"This is really bad, because even if you tried to figure out which site you were going to, you couldn't," said Russ Cooper, editor of TruSecure's security newsletter NTBugtraq.

This is how it works: The actual URL syntax in the link - which appears in the IE address bar, when the link is clicked, and also at the bottom of the IE window, when someone rolls over the link with the cursor - looks like 'http(s)://username:password@server/resource.ext'.

The browser uses whatever is to the right of the @ symbol to locate the web page. Everything to the left of the @ is used to authenticate the user. If there is no authentication mechanism available on the targeted page, the beginning part of the URL is ignored.

Attackers, then, can use the area to the left of the @ symbol to create a fake web address and fool victims into going to a different page or site. For instance, the URL http://www.cnet.com@mysimon.com looks like it will go to the Web site http://www.cnet.com, but it actually goes to mysimon.com.

The problem has been exacerbated by a recently discovered bug in the URL display of IE browsers. By adding a few special characters in front of the @, an attacker can prevent the browser from displaying the true destination address of the URL. So, for instance, in the above example, the URL in the IE address bar and at the bottom of the IE window would appear as simply http://www.cnet.com.

After users install the new patch, IE will no longer recognise links coded with usernames and passwords and will send surfers to a web page that displays an "Invalid syntax error" message. Microsoft hasn't said when the patch will be available, but the company has released a support document to help explain how coders of links can work around the new change.

Microsoft maintains that it is very serious about making its software more secure, but, a company representative said, it must consider how fixes will affect its entire user base.

"We are aware that there is a growing concern among customers over URL spoofing," the representative said. "And we want to address those issues in a way that mitigates the hazard, but we also don't want to harm the user experience. It's a delicate balance."

Marguerite Reardon writes for CNET News.com