Microsoft has taken a drastic step to prevent Explorer from being undermined by security holes and announced plans to cut an Internet standard out of its browser.
The software giant has not disclosed when its “patch” - but more accurately described as a “limiter” - will be made available, but it has said that it will prevent people from automatically logging into a website using just the browser’s address line.
The announcement of an upcoming fix, rather than the release of the fix itself, points rather conclusively to the fact that another hole discovered this week (which compounded the problem) has forced the company’s hand.
The original problem has been used by con-artists to make Web users think they are visiting one site when they are in fact at another. This is done by twisting the Internet standard that allows you to sign into a website with a password and username using just a single address line of the form: http(s)://username:[email protected]
If you replace the “username:password” part with a website name like “www.techworld.com” and put it as a link in an email of on a website, it looks to the Net user as if the link leads to Techworld whereas in fact it leads to Website.com.
This simple ploy has been used to con people all over the world by making them think they are visiting trusted sites including PayPal and eBay, among others.
However, the problem was made even worse in December when it was found that the introduction of a simple set of characters made the con even more convincing because one the link was clicked, even the browser itself displayed the false Web address. This meant that someone would have nothing but their own suspicions over whether a site was real - Explorer displayed exactly what the con-artist wanted it to.
To make matters even worse, this week another hole was revealed (although it appears to be identical to one first discovered and pointed out to Microsoft nearly three years ago) in which a user could be conned into thinking he/she was downloading a certain file when they were downloading something completely different.
When a Web browser can’t be trusted to tell you what site you are visiting and even what you might be downloading, you really have to question whether it is viable as a Web browser at all.
Microsoft swiftly recognised the huge issue involved and has jumped in saying it is producing a fix before the idea of Explorer as a liability gathers momentum. This “fix” is clearly painful for Microsoft to introduce as it pulls functionality out of its browser. It is only pulling it out of Web pages (i.e. http(s)) at the moment, but it may also have to do the same for FTP sites - effectively killing any plans to make its browser practical as a website updater.
Microsoft was criticised for not introducing a fix for this problem in January, leading many to believe it was not fixable. Its decision to cut the whole thing out is a good demonstration that it wasn’t.
To be fair though, Explorer is not alone in this problem - all the other browsers have the same issue with spoofed addresses. Mozilla has also yet to find a solution. Opera throws up a warning box if it believes it may be a spoofed address.
We’re not Web developers but it seems to us that rather than destroy the standard it would make far more sense to make it more exacting. For example, specifying what format the username and password have to be given in order for it to work. In this way it would be possible to cut out any misleading links.
Who for example would feel comfortable following a link to the site “http://microsoft8756.com”?