× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. WEB400
  3. February 2004

Re: New IE security advice from Microsoft

Anton Gombkötö wrote:
Hi Hans,


As someone else suggested, the best advice that MS could have given
would be to uninstall IE and use some alternative browser like
Mozilla or Opera. But we all know how likely that is.



But the whole issue about entering the links, because they can be
faked in the address line in IE (and some others, too), is almost the
same as a link looking proper and with JavaScript's onClick the page
does whatever it wants, e.g. opening a window with another address but
without address bar, so the user can't even notice.

That would be the same in many other browsers, too, wouldn't it? And
it is a way chosen by many more or less reputable sites.

Stepping into someones shop is dangerous. He might try to sell you
rubbish at a much too high price. It's pretty much the same in the
internet. Await the worst, then you can only be surprised in a
positive way. (The problem with that rule is that i imagine things not
bad enough in the first place :-)

I don't want to defend M$, neither do they have the need for my
efforts nor do i think they deserve it, but this whole thing implies
to the reader that clicking on a link in a non-M$ browser is safe. It
might be safer, because they invested more than marketing in security
thoughts, but it isn't safe.

0.02 Euro

Anton: Certainly, some links are best left un-clicked, no matter what the browser. For example, links in messages in public guest books.

But as I understand the problem, the nature of the holes in IE are such that you can go to fake site, and there is nothing to suggest that you are anywhere else but a legitimate site. That is, in a proper browser, the address line would show the complete URL, like say for example, "http://www.ibm.com/%01@xxxxxxxxxxxxxxxxxxxx/fleece-visitor.html."; But in IE, you'd see just "http://www.ibm.com/";, and quite possibly you wouldn't think twice when prompted for a customer number or a credit card number.

It's just an interesting bit of news that MS *themselves* have said that one way to protect yourself from possible exploits is to manually cut and paste URL's into the address bar!

Anyways, AFAIK, MS is planning on /eventually/ releasing fixes for the recently disclosed holes, including disallowing '@' in URL's, a feature that's not commonly used anyways. Before that happens, take this as a good motivator to install and use a decent browser, like Mozilla. It used to be that IE was the leading edge in browser technology. But now that's no longer true.

Cheers! Hans


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.