Security threats Toolkit

Users report inconsistent results from latest IE patch

Tags:
Security Patch,
Spoofing,
Patch,
Phishing

Munir Kotadia ZDNet.co.uk

Published: 04 Feb 2004 18:15 GMT

Microsoft's latest security patch for its Internet Explorer browser doesn't always work, users report. The fix was supposed to disable a commonly used feature that allows usernames and passwords to be transferred within a URL. However, some users have found that even after the patch is deployed, the "feature" is still active.

Microsoft said it has not as yet received any complaints from users experiencing the problems, but tests by ZDNet UK confirm that even after the latest patch is applied, Internet explorer still allows URLs containing password and user information to access Internet resources, contrary to Microsoft's claims. However, at this stage it is still unclear why some users find the patch works, while others are still left vulnerable.

Peter Ibbotson, technical director at software supplier Lakeview Computers told ZDNet UK that the problem could be a result of Microsoft designing the fix so that it does not affect other applications that also work with the browser: "One of the nice things about Internet Explorer is that you can bury it inside Outlook and other applications. Because of this, Microsoft does not know where developers have embedded IE," he said.

But Ibbotson said it is possible to fix the problem by creating additional keys in the Windows Registry and turning the feature off manually: "Creating a registry key does get you out of the hole -- certainly was working for me," he said

Ibbotson said that if the patch is deployed on a "clean" system, it works well, but he suspects that when third-party applications that use Internet Explorer are added, such as Google's Toobar, users will have to turn the feature off manually in the registry: "If you want to do the same trick for other people's programs, you can as long as you know what the executable file is called," he said.

James Governor, principal analyst at RedMonk, told ZDNet UK that he is not surprised that the patch has caused problems for some people, especially because of add-on applications: "People think Google is something you do on the Web, but (tools like this have) moved onto their desktop and the browser." Governot said he wouldn't be surprised if similar tools were interfering with the patch.

According to Governor, Microsoft has done a good job because fixing the problem was necessary, but he warns that lots of companies will be affected because using passwords in URLs is common: "Lots and lots and lots of customers have used this hack, so I'm not surprised it is throwing up problems. It is probably not good coding practice, but it is an approach that works. Yes it is a bit of a hassle for Microsoft, but sometimes you do have to break things," he said.

Stuart Okin, chief security officer at Microsoft UK told ZDNet UK that the company was always aware that some customers would experience problems: "It is a careful balance that you have to take. On one hand you have the risk of phishing attacks and passwords on the URL, but on the other hand we didn't want to cause a great deal of problems with applications," he said.

Okin said that if users are finding that the patch does not work correctly, they should contact Microsoft immediately, so it can analyse the problems: "It is a potential risk which is one of the reasons why we brought out the patch. If people are seeing actions that are happening because the patch should have blocked something but it hasn’t, they should clearly ring Microsoft and give us that feedback. If they don't think the patch is doing the job then they should tell us," he said.

Customers in the UK should call the Microsoft Contact Centre on 0870 60 10 100 while from the US, the number is 1-866-PCSAFETY. Otherwise, Okin recommends visiting Microsoft's Security Web site.

If you have experienced problems with the patch, let us know; either use the TalkBack below, or email us.