Comment Articles

Microsoft: Stuck between a rock and a hard patch?

Matt Loney ZDNet.co.uk

Published: 06 Feb 2004 16:50 GMT

This a big problem, for individuals and for any companies -- including eBay, ISPs and banks - that do business online. If you run an e-commerce site, your reputation is at stake; if you are an individual who takes the phishing bait, your cash and possibly even your identity are at stake. So it's hardly surprising that Microsoft decided to issue a patch to close the hole.

But just to complicate matters, there is a further problem, which lies in the fact that that many Web sites use the http://username:password@server/resource.com convention to authenticate users, and many of these have suffered as users duly updated IE with the new patch.

Angus Systems Group, for instance, found that its commercial real estate Web-enabled service suffered badly from the patch. Senior architect Brad Aisa said the company's reporting tool depended on the http://username:password@www.somesite.com URL convention, but users who have downloaded the patch can no longer use it. And a work-around is no simple matter (Aisa characterised it as "onerous and complex"), since the security was embedded in Angus Systems Group's application. The credentials, said Aisa, were not those of individuals, but groups of users who share credentials.

So whether not the patch was successful depends on several things, not least of which is your definition of the word "success".

For while the patch did what it was supposed to do for some users, it also meant they were locked out of legitimate e-commerce Web sites. For other users, the patch failed to do what it was supposed to do, but their access was unaffected. Whether or not the patch worked seems to be contingent on other third party applications on the client PC, but the real question is: should Microsoft have issued this patch in the first place?

The company was under pressure to plug what many consumers perceived as a bug. In fact, the username:password convention is mentioned in a document of the Internet Engineering Task Force called RFC 2396. However, the IETF's opinion appears to be that this practice is not recommended. The IETF's reticence appears to be not so much about phishing as the issue of passing usernames and passwords as clear text (as they are when embedded in URLs like this). So Microsoft can now say that, in this respect at least, its browser is more secure than those of the competition.

Indeed, no other browser has blocked this functionality. But then no other browser allowed that nasty %01 bit in the URL that is God's gift to phishing. Mozilla ignores it, and Opera even provides a security warning explicitly telling you the name of the server you are about to visit.

Whoever at Microsoft was responsible for the decision probably felt they were stuck between a rock and a hard place: they either left the functionality in IE and faced accusations of aiding phishers, or released the patch and broke countless e-commerce sites. But perhaps if the company simply paid more attention to the standards in the first place they would not have had to make that choice.