Web Code Fixes Required by Internet Explorer in Early 2004
I though some folks around here would be interested in this article!

Except for security fixes, Microsoft has steadfastly refused to make any other updates to IE6 in the past 3 years, although it has fallen farther behind its two main competitors, Mozilla and Opera, in features/functionality, standards compliance and reliability/performance. A recent court decision against Microsoft by Eolas Technologies and the University of California at Berkley has changed the situation, though the 500 million dollar award is being appealed by Microsoft. However, Redmond is immediately changing some of the offending coding constructs. Interestingly, Microsoft will limit the changes in IE6 to patches, security repairs and the new compliance fixes – no fixes to JavaScript, CSS, DOM, and HTML non-compliance. Here, we examine those patent workaround fixes in more detail and what they mean to Web developers.
The rest of the article: http://www.webreference.com/programming/javascript/j_s/column5/

Or should I say Internet Exploder?

Microsoft just issued "832894 security update" for IE. See http://support.microsoft.com/default.aspx?scid=kb;en-us;834489

"A security update is available that removes support for handling user names and passwords in HTTP...or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer...after you install the MS04-004 Cumulative Security Update for Internet Explorer (832894):

http(s)://username:password@server/resource.ext"

This is a HUGE change! For at least 4+ years, IE has supported the "username:password@" behavior.

This will break 1000s of websites worldwide (including one of my clients).

Does anyone have any ideas about alternative techniques?

You're right this is huge! I just spent three months setting up a password management program using Adpass's htaccess system. The adpass people just sent me a message saying the whole system will be made inoperative with the new explorer security patch. They're working on a fix, but they made no promises!

Personally, I'd be happier if IE6 were exempt from the changes and they agree to comply in v#.

Otherwise, unless the 'fix' is easy to impliment, and doesn't conflict with subsequent security upgrades, I should imagine IE will die on its butt and another browser reign supreme?

steve-parrott,

Is this the Adpass product from Ascad Networks?

,dave

Microsoft advises IE Explorer 5.x or IE 4.X users to upgrade immediately
If you can't upgrade than disable code execution features of old browsers immediately
02-17-2004 6:19:21 PM CST -- By Paula Rooney, CRN

Microsoft is advising customers to move to Internet Explorer 6 Service Pack 1 and more recent patches following the leak of Windows NT and Windows 2000 source code to the Internet last week. While downplaying the potential for hackers to uncover new vulnerabilities in Windows by having access to the source code, one top Microsoft Windows executive said during a monthly security briefing on Tuesday that customers using IE 5.x or IE 4.X versions should quickly download the latest IE code to protect their networks.

"Most of IE code is what was leaked," said Chris Jones, corporate vice president in the Windows Core Operating System Division, about the NT 4.0 and Windows 2000 code that leaked. "We don't believe [customers will be affected] so as long as they're current on the latest versions of IE.

Read the full article (http://www.crn.com/sections/BreakingNews/dailyarchives.asp?ArticleID=48010).

If all that was leaked was the IE code then what is there to worry about unless they know they are sloppy coders? I mean Firefox/Mozilla is open source and yet I have heard of few exploits for it. Maybe MS are worried about some code thats not supposed to be there ala spyware or is this just a ruse to get people to update to the latest versions because the later MS products, specifically media player, are spyware rich.

Microsoft Internet Explorer Integer Overflow in Processing Bitmap Files Lets Remote Users Execute Arbitrary Code
and
The flaw reportedly resides in 'win2k/private/inet/mshtml/src/site/download/imgbmp.cxx'.
*smacks self on head* Of course, how obvios lol
I never did trust those 'xxx' file extensions.
credit:http://www.securitytracker.com/alerts/2004/Feb/1009067.html
lol

Whoa, I've never seen this page before - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/Default.asp?frame=true

To Dave Barnes,

Yes AdPass is from Ascad Networks.

Answer to IE's continual problems...SCRAP IT!
Microsoft (browser wise) are so far behind the times.

Get with the program and download an updated browser, like Mozzie FF or even the Opera 7.5 beta version.

Cool or what? Now you can really enjoy the 'Net.

For the time being, I would agree dundela, however I have a feeling there is a serious scramble on for the ultimate killer app.. and whether it's M$ with their Longhorn creation, OR Google with an online working/searching environment.. who knows! All I know, is that there will be some serious shake-ups in the next 2-3 years.. watch this space!! :o)

Rather than linking here's the story in full

From ENTmag.com:

News

'Extremely Critical' IE Exploit in the Wild

by Scott Bekker

6/10/2004 — Users running fully patched versions of Internet Explorer are vulnerable to a new exploit in the wild that has been used to load adware onto systems whose owners did nothing more than click on a malicious Web address, according to security researchers.
Secunia, a security firm, labels the problem "extremely critical." The company uses the designation for remotely exploitable vulnerabilities that can lead to system compromise, don't normally require interaction and have exploits in the wild.

Unlike most exploits, the IE flaw appear to be a so-called "zero-day exploit" -- in that the exploit appeared before an official Microsoft patch was issued for the underlying flaw. In most cases, exploits are developed after Microsoft or independent security researchers publicly expose the problem along with a simultaneous patch. In those cases, Windows users and malware authors are in a race -- users to patch their systems and malware authors to create an exploit based on the flaw before most systems are protected.

Microsoft, which released its monthly batch of security patches for June on Tuesday, did not have any warnings or information posted about the problem on its main security pages such as www.microsoft.com/security as of mid-afternoon Thursday. A Microsoft spokesperson said the company is reviewing the issue.

"Microsoft is actively investigating public reports of a malicious attack exploiting vulnerabilities in Internet Explorer and will continue to investigate to determine the appropriate course of action to protect our customers," the spokesperson said. "This might include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs."

If Microsoft does release a fix before its next Patch Tuesday, which would fall on July 13, it would be on the second time it has issued an out-of-cycle patch since instituting its monthly patching cycle last year.

For customers who want to minimize risks, the spokesperson provided links to two older Microsoft documents that don't specifically reference the problem. One is a page of safe browsing tips at www.microsoft.com/security/incident/settings.asp. The other is for enterprise customers looking to minimize risk by increasing the security of the Local Machine Zone in IE: support.microsoft.com/default.aspx?scid=kb;en-us;833633.

Fire up your alternate browsers, IE is going to mess you up again

Thanks for the update--it's time to do the Windows Update again!

Sorry bhartzer,

Only problem is there is no patch.

I often wonder if the Linux model of a kernel and then you pick and choose your browser, e-mail client etc etc wouldn't be better for Windows.

Not just making something else the default but dumping what you don't want.

Maybe the integration wouldn't be as good but it has to be better than patching and praying. Just my opinion.

netman4ttm, bunch of people pointed out that they have never had a problem with any security threats while running Mozilla Firefox.
Everything about it, including download, is found here:
http://texturizer.net/firefox/

Who cares?
Well, it just so happens that it is very easy to make it your 'default' browser. You merely have to go into the 'Tools/Options' and click on , get this...
"Set Firefox as your default browser"
:O)))

It is really my favourite browser now, it took a slight bit of getting used to, but the features and 'extensions' are incredible, it is made for web developers, you should see.
Ask any more questions here.(This thread)

Here is the other thread I refered to:
http://www.webproworld.com/viewtopic.php?t=21045

PS, that is the second 'zero day' exploit that has happened to IE.
But I do want to point out, that the 5 'Most Critical Vulnerabilities' for last week were in Linux(3), Mac and SumMicro(Solaris) operating systems.

And it is far easier, I'vre found, to do most things in windows than Red Hat/Linux.
Far easier.

Mike,
I love Firefox.
And I agree for ease of use Redmond has everyone beat.
My fear is that Redmond by locking the OS to a Gui to a web browser to an e-mail client has more on its plate than it should.
Do you really need a gui running on a server? Most of the time I wouldn't think so. It wasn't that hard to type win at the command prompt back in the 3.1 days. Hey just my opinion, and the guys whose opnion really matters Gates and Jobs are a lot richer than I am.

Hi there mikmik,

Thanks for the info on Internet Exploder.

Just today I received an email that the "glitch" is back in my shopping cart system. This "glitch" causes the first item on the page to be added to your shopping cart no matter what item you actually add to your cart.

The people having the problem where the ones running Windows XP Pro or 2000 with the latest and greatest IE. Somehow the latest patch was making IE unable to differentiate between each form item on the page and therefore they had to me named "order 1" , "order 2" and so on....

This cleared up the problem...BUT now it's back again. Is it safe to assume that the June patch has disrupted this process?

Mik (Michaela)

This month MSDN has launched a new blog about IE called IEBlog:

http://blogs.msdn.com/ie/

The blog that sslcheap mentioned (some 10 months back!) has an interesting post entitled "IE7 has tabs (http://blogs.msdn.com/ie/archive/2005/05/16/417732.aspx)!". The post discusses how tabbed browsing will work in IE7.

The comments that accompany the post are particularly interesting. One visitor applauds the introduction of tabbed browsing but questions whether it can be disabled or not. A good read all the same!

Paul

In a typically beligerrent move by Microsoft, the beta version of their IE7 browser is reported to remove a user's Google and Yahoo! toolbars and replace them with a default MSN Search.

Read the full article at The Register (http://www.theregister.co.uk/2005/07/28/ie7_nukes_rival_search/)