Last week Microsoft quietly released a patch for Internet Explorer that, among other things, fixed a flaw that had allowed
phishing scams to operate. Trouble is, you probably didn't know the patch came out. And, even if you did, you probably weren't aware that Microsoft also changed some basic functionality within Internet Explorer that may have prevented you from logging in to familiar Web sites.
Cut the legalese, please
Once again, Microsoft released an important update to its widely used browser without clearly explaining the changes to developers or sufficiently announcing its existence to the general public. I expect better from the world's largest software vendor.
I expect better from the world's largest software vendor.
|  |
|
On February 2, the software giant released the patch in question, called MS04-004, which affects users of Internet Explorer 5.01, 5.5, and 6.0--something like 90 percent of Internet users these days. MS04-004 is a cumulative update, so if you haven't updated your IE recently, this package should do the trick.
Like every other Microsoft security bulletin, get your legalese dictionary in hand before you try and read either the supposedly dumbed-down
end-user version or the ever evasive
technical version. Neither is particularly clear.
The biggest problem fixed in this patch has been
well known for many months; it allows special characters in the HTTP or HTTPS address field to mislead users into thinking they're going to one site when in reality they're heading to another. This is a trick often employed by phishers, a.k.a. e-mail scam artists: They send e-mail that looks like it's from a legitimate company, requesting personal info, but which really takes you to a fraudulent Web site that has no connection to the legitimate company.
For example, a link within a phishing e-mail message might be coded as
"http://www.citibank.com/legitimate.html@www.haxor.com/
phishingscam.html."
In your e-mail, you'd see only the first part--
"http://www.citibank.com/legitimate.html"
--highlighted as a link. But when you clicked it, you'd go to
"http://www.haxor.com/phishingscam.html."
What Microsoft has done is remove the ability to link to the second part of the URL if a special character (such as an @ sign) is used.
Users hurt by this decision
The trouble is, some Web sites use special characters in URLs for legitimate purposes, such as demarking your username and password for easy login. So, for users who dutifully installed the patch, sites that use this feature
won't work anymore.
One immediate casualty is the porn industry, but mainstream sites such as universities and corporate reseller programs use this technology as well. For a more technical discussion of this change, you can read Microsoft's
Knowledge Base article on the topic.
|
But I guess the more practical question is: Should you install the latest IE patch?
| |
|
Though this reworking of IE required Web developers to make changes on their sites, Microsoft gave them less than one week of notice to do so. Some Web sites, frustrated by customer complaints, have already opted to reverse that part of the patch for their customers--negating any security enhancements Microsoft might have hoped for in issuing the patch. In addition, it has no doubt been frustrating for users to be inexplicably blocked from sites they've accessed frequently before. Would it have been so hard for Microsoft to give developers and the public more notice about this patch?
But I guess the more practical question is: Should you install the latest IE patch? Yes. MS04-004 is cumulative, so the additional security benefits probably outweigh the glitches for most people. Will MS04-004 end phishing scams? No. Not everyone will download and install this patch, so phishers will still have many victims from whom to con personal information.
And will this be the last time Microsoft abruptly changes functionality in the name of security? Probably not. According to one Microsoft security response team member, "Our customers have said, 'We want security,' so that is the change that we gave them." I take that to mean, unfortunately, that we can expect this sort of scenario to play out again in the near future. If only Microsoft would take a little extra effort to communicate, it would save developers and end users many headaches.
What do you think? Should Microsoft make a bigger deal about its security patches? Tell me about it--TalkBack to me!
