M$ putting security before a feature!
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: M$ putting security before a feature!

  1. #1
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126

    M$ putting security before a feature!

    This is a good read! Peoples are complaning that the last [URL=http://www.microsoft.com/technet/security/Bulletin/MS04-004.asp]IE Patch from M$[URL] because M$ putting security before a feature used by some of its customers. Good Read.

    Some Web developers are complaining that an Internet Explorer patch that's meant to foil Net scams is disabling some applications that didn't put a premium on security.

    Microsoft last week announced that a modification to its IE browser would stop the insecure practice of including sensitive information in links. The update, which was released Monday, had some Web site programmers up in arms Wednesday due to complaints from Web users that they could no longer log in to sites that secure entry through credentials included in the URL.

    "Microsoft may have legitimate reasons for addressing the issue, but the way they addressed it--an across-the-board kill of an industry standard--is troublesome," said James Rosko, a software engineer for a data-processing service on the Web. He and other programmers spent Tuesday night making changes to the programs that process login requests for his company's Web site, which he requested not be named.


    The incident could be the first known case of Microsoft getting attention for putting security before a feature used by some of its customers. Microsoft promised to put security first when it launched its Trustworthy Computing Initiative more than two years ago. But some critics have claimed that they haven't seen many results.

    "I really look at it from the standpoint of the majority of customers," said Stephen Toulouse, security program manager at Microsoft's security response center. "Our customers have said, 'We want security,' and so that is the change that we gave them."

    The problem occurs when programmers design a Web site to enable a Web user to log in by typing credentials into the URL. In such cases, the Web address might look like this: http://username:password@www.somecom...m/program.ext. The link gives the person access to a company's Web site when the authentication program verifies the username and password.

    Because the username and password are part of the Web address and are not encrypted, embedding the credential in the URL is considered a security risk, said William Kennedy, chief technology officer at ActivMedia Robotics and the co-author of "HTML & XHTML: The Definitive Guide."

    "It was a dumb idea to include such functionality in the first place," Kennedy said. "There are millions of other ways of logging in to a site."

    However, that sentiment was not what made Microsoft disable the feature. The software giant made the change to stop scam artists from constructing URLs that appeared to link to a legitimate Web site but actually directed people to a fraudulent site. For instance, a URL that appears to go to eBay could actually send the person to a fraudulent site such as: http://www.ebay.com@fraudsite.com.

    The fake site will typically ask for a person's username and password and then use that information to complete a scam. Major banks and other financial Web sites, such as PayPal, are popular targets of such fraud, often called "phishing." The Federal Deposit Insurance Corp., the government organization that underwrites U.S. citizens' banks accounts, recently warned of a similar scam.

    "I suspect most folks never heard of this feature," said Richard Smith, a privacy and security expert. "The big exception, of course, is the phishing scam artists."

    Programmer Rosko acknowledges that putting the username and password in the URL is not very secure, but he stressed that some applications don't need the security.

    "This is for noncritical information," he said. "It is information that we would just rather not have everyone on the Web have access to."

    In some cases, making the change after the IE update has been difficult.

    Angus Systems Group, an online service that allows commercial property owners to manage tenant requests, uses URL credentials so that users can log in to a third-party application that generates reports. The application is not sensitive enough to require individual logins; so users typically log in as part of a group by using a specific URL.

    "It wouldn't be that much of an issue, if it was a per-user basis--if the user was responsible for their own credentials," said Brad Aisa, senior architect for Angus Systems. "Unfortunately, we don't have any control over that aspect of (the third-party application's) security."

    Aisa wasn't aware of the issue until customers started complaining.

    "All of a sudden, you come in one day, and things aren't working anymore, because (Microsoft has) determined that a way they are doing things is not secure," he said. "There should be an opt-in system for that."

    After looking at the options, Angus Systems will likely have to reverse Microsoft's security move by giving people a registry update to turn off that part of the patch, Aisa said.
    Source : http://zdnet.com.com/2100-1105_2-5153534.html
    -Simon \"SDK\"

  2. #2
    Senior Member
    Join Date
    Nov 2003
    Posts
    247
    Hahaha...So, Microsoft blatantly tries to make security a priority, and it seems to have backfired in their face. That's rich.....it really is.

    That was pretty interesting....thanks SDK.
    www.ADigitalPimp.com
    There is a ghost in the machine, and he is my friend.

  3. #3
    Top Gun Maverick811's Avatar
    Join Date
    Oct 2001
    Posts
    852
    Well, in this case, it seems MS can't win - they don't provide secure apps, people complain - then they do provide a patch to fix a security issue, and people still complain. Now don't get me wrong, I'm not a fan of MS by any means, but these people complaining is a little ridiculous... Authentication via the methods described in the article is not secure at all, and I don't think web developers should ever use that way - if your app is sensitive enough to need some form of authentication, it's a little crazy to say well, we'll just provide a very basic and insecure way of logging in - that'll keep MOST people out, but we full well acknowledge the fact that if somebody wanted in they could gain access - that's just bad security practices right there...

    If installing the latest patch from MS breaks your app because of your insecure authentication procedures, don't get all pissy at MS - the app was developed that way, it can and should be changed in the first place..

    Just my thoughts....
    - Maverick

  4. #4
    Junior Member
    Join Date
    Jan 2004
    Posts
    16

    Talking

    I just find it amusing that the reason Microsoft can't win in this situation is because of their past history of developing less than secure products.

    They've trained users to expect everything to be super easy and requiring minimal effort. Now they're trying to reverse course and all of their "well trained" users are flipping out because they might actually have to put a little more thought into things rather than have Microsoft think for them.

    If they had just put in the time and effort into developing secure products to begin with, they wouldn't have all these lazy people complaining about not being able to do things the "easy" way anymore.

    I do applaud them for biting the bullet and fixing this issue despite the backlash, but I donít feel bad for them because they brought this on themselves.

  5. #5
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487
    Oh my GOD! Using this authentication, placing username and password on the URLs, is basic web application security NO-NO #1!!!!!! You learn that day one to NEVER use that!

    I like this quote from the article:
    "Microsoft may have legitimate reasons for addressing the issue, but the way they addressed it--an across-the-board kill of an industry standard--is troublesome," said James Rosko, a software engineer for a data-processing service on the Web. He and other programmers spent Tuesday night making changes to the programs that process login requests for his company's Web site, which he requested not be named.
    Yeah, because if he names the site every hacker (cracker) who reads the article will CRACK an account through brute force URLs since it's so easy! How embarrasing to have your name identified as a insecure coder. IMO of course.

    Thanks for the article SDK!

  6. #6
    Top Gun Maverick811's Avatar
    Join Date
    Oct 2001
    Posts
    852
    Originally posted here by ric-o
    Yeah, because if he names the site every hacker (cracker) who reads the article will CRACK an account through brute force URLs since it's so easy! How embarrasing to have your name identified as a insecure coder.

    It's funny you say that, those were my exact thoughts...

    I mean, this guy has no basis to bring some kind of argument against MS, it's HIS fault he's using insecure methods... Like you say, no wonder he wants to keep his site anonymous...

    Again, I'm not a MS advocate, but damn, when they try to fix their issues and people still bitch and complain, that's just ridiculous...
    - Maverick

  7. #7
    Member
    Join Date
    Dec 2003
    Posts
    31
    I'm a web programmer. And guess what.. This thing hit us in the face this week. This URL login feature was not meant to secure a web site with military security, it was just a little "more" security than usual. And we used it in our update administration module, to secure some asp files for administration (but there was also session login) It's basically a little more security than just the session login (basically, it's just a NTFS user that has the rights of anonymous user, but for the only difference that it's the only one that can read the admin directory. But there is still a session login for accessing executable files -asp, php etc- in the admin directory). Now, we get a lot of unhappy customers that can't access there websites, we now need to disable the ntfs protection to make them happy. We can't allow them to see the NTFS popup because they are already login via a form that checks for the users in the DB.

    Guess what. There IS other solutions :
    - Make the Username and password in a URL like "userassword@url.com" a different color from the URL or another thing that make the username and password information different from the URL.

    - Make a little popup advice. It can't be more dangerous than all other popup security advice with activeX and other stuff.


    It's really a "drastic" solution from Microsoft to remove all that. It's part of IE since a lot of time and it's in a RFC.

    Of course, this method should really not be the only way to log in a web app. It's really unsecure, of course, to rely on that as just ONE security method.

    Oh, and just think of some links in websites to some FTP sites that uses a login password.

    But my opinion is that it should'nt be in a RFC in first place. It's sure that some ppl will rely on this method and secure their web app only with that, wich is really stupid.

  8. #8
    Senior Member
    Join Date
    Aug 2001
    Posts
    485
    I fully support what MS has done in this case.

    One of the companies I support does use IE, and as far as I am concerned, this fixes some massive loopholes. Apart from anything else the patch works properly, in the sense that a malformed URL is rejected completely by IE.

    It refuses to display the web page, unlike some other browsers I could mention that display it with the 'double' web address which would be enough to fool naive users.

    Apart from anything else, don't these people test MS updates to see if they have any impact on home grown systems ?? Anyway in this case his complaint is ridiculous, because that is about as insecure as you can get - why bother in the first place?

    EDIT: I wasn't having a go at xicepik, it's just that we replied at the same time, so I didn't see his comments.
    I still stand by my observation that for any OS (Windows, linux, whatever), you should always test a patch before rolling it out. I was totally unaware this was in the RFC, which seems odd to me

  9. #9
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    I fully supported M$ on this one also! I'm proud of them for once!
    -Simon \"SDK\"

  10. #10
    Senior Member
    Join Date
    Jul 2001
    Posts
    343
    Microsoft and Security = Oxymoron!!!
    Franklin Werren at www.bagpipes.net
    Yes I do play the Bagpipes!

    And learning to Play the Bugle

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •