This article originally appeared in the Development Security Spotlight newsletter.
Facing loud criticisms about the vulnerabilities in Internet Explorer and Windows Explorer, Microsoft has released a major patch that affects the way browsers interpret URLs. This article will help you determine whether these changes might affect your development environment.
No more @ signs in URLs
IE’s default behavior for handling http and https URLs in the address line has led to serious vulnerabilities known as URL spoofing. This is when a malicious Web site could appear to have another URL, tricking users into downloading malware or sharing personal information such as passwords.
Microsoft’s fix involves the elimination of URLs containing the @ character, such as:
After you apply the patch, if user information is included in an http or an https URL, a Web page with the title “Invalid syntax error” appears by default.
Microsoft provides Web and application developers with workarounds to this patch. For URLs that are opened by objects calling WinInet or Urlmon functions, use the InternetSetOption function and include the following option flags:
And, instead of the InternetOpenURL function, use the IAuthenticate Interface.
For URLs opened by a script using credentials for state management, start using cookies. (MSDN offers details on how to use HTTP cookies with Visual Basic in an ASP.NET program.)
Once you install the update in IE, altering registry values will let you apply the new behavior to other programs or to disable the feature in IE. (Note: Editing the registry is risky, so be sure you have a verified backup before saving any changes.)
Developers who work with Web sites that include the @ symbol in legitimate URLs will need to make some changes when Microsoft users apply the IE patch. The Knowledge Base article 834489 contains preliminary information, and Microsoft says it plans to add to the article as more information becomes available. But, for now, the Knowledge Base article should give you an opportunity to begin altering existing applications or Web sites and to avoid using the soon-to-be-invalid URL strings in any current projects.
Although these changes aren’t a direct response to MyDoom and other worms that have made headlines lately, they do represent a major change in the way IE and Windows Explorer will work and in the level of security they provide. It’s unfortunate but understandable that combating such a major threat will require some developers to alter existing programs to conform to the new syntax restrictions.