Mailing List Archive

On Fri, Feb 06, 2004 at 10:09:11 -0500, Fred wrote:
> One small step in the right direction,
>
> Microsoft changes functionality of Internet Explorer to display "Invalid Syntax" when using user:pass@domain in a URL.
>
> The latest security update for Feb (4)? causes these types of URLs to break. This means the fix has a great side effect. The spammers and phishers who always try to mask their identity with a stupid flaw like this WILL FAIL. This will eventually cause anyone who updated to not be able to view spam sites with these types of URL's. Urge Windows users to upgrade now!
>
> This is good news!

ya, unless your the admin for many legitimte sites that use that syntax.

a huge rewrite will be on some peoples cards now :(

--
A Pope has a Water Cannon. It is a Water Cannon.
He fires Holy-Water from it. It is a Holy-Water Cannon.
He Blesses it. It is a Holy Holy-Water Cannon.
He Blesses the Hell out of it. It is a Wholly Holy Holy-Water Cannon.
He has it pierced. It is a Holey Wholly Holy Holy-Water Cannon.
He makes it official. It is a Canon Holey Wholly Holy Holy-Water Cannon.

Yes, of course it's the right cabl [le0: NO CARRIER]

Ralf Vitasek wrote:
> heh?
>
> you mean they removed a feature (which i personally think it's quite
> useful).
> instead of fixing their display bug?
>
> sounds pretty stupid to me.
>

An article on MSDN explains that this feature is only changing for HTTP, it
will still exist for FTP.

They are changing this to follow:
http://www.ietf.org/rfc/rfc2616.txt

This rfc talks about replacing Basic authentication from 1.0
http://www.ietf.org/rfc/rfc2617.txt

On a side note, Even the Win32 API, XML controls and a few others will be
changed to support this. They have a work-around if you require this fix
but it's regedit work..

Read original article here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;834489

On Fri, 6 Feb 2004 15:09:33 +0000, Mat Harris <mat.harris@genestate.com>
wrote:
>On Fri, Feb 06, 2004 at 10:09:11 -0500, Fred wrote:
>> One small step in the right direction,
>>
>> Microsoft changes functionality of Internet Explorer to display "Invalid Syntax" when using user:pass@domain in a URL.
>>
>> The latest security update for Feb (4)? causes these types of URLs to break. This means the fix has a great side effect. The spammers and phishers who always try to mask their identity with a stupid flaw like this WILL FAIL. This will eventually cause anyone who updated to not be able to view spam sites with these types of URL's. Urge Windows users to upgrade now!
>>
>> This is good news!
>
>ya, unless your the admin for many legitimte sites that use that syntax.
>
>a huge rewrite will be on some peoples cards now :(

Better yet, have your users that are fans of HTML email switch to
reading their email in plain text as, believe it or not, MS now
recommends. From
http://www.microsoft.com/technet/security/bulletin/MS04-004.asp,

"Workarounds
[...]
If you are using Outlook 2002 or Outlook Express 6.0 SP1 or later,
read e-mail messages in plain text format to help protect yourself
from the HTML e-mail attack vector

Microsoft Outlook 2002 users who have applied Service Pack 1 or later
and Outlook Express 6.0 users who have applied Service Pack 1 or later
can enable a feature that will enable them to view all
non-digitally-signed e-mail messages or non-encrypted e-mail messages
in plain text only."

Alan Baxter
P.S. It's ironic that the originator of this thread is sending HTML
email.


--
Please avoid sending me Word or PowerPoint attachments.
See http://www.fsf.org/philosophy/no-word-attachments.html

On Fri, Feb 06, 2004 at 09:23:22 -0700, Alan Baxter wrote:
> Better yet, have your users that are fans of HTML email switch to
> reading their email in plain text as, believe it or not, MS now
> recommends.

hehe :) so mutt will one day become the god of mail clients :)

m$ themselves have decreed it!

> From
> http://www.microsoft.com/technet/security/bulletin/MS04-004.asp,
>
> "Workarounds
> [...]
> If you are using Outlook 2002 or Outlook Express 6.0 SP1 or later,
> read e-mail messages in plain text format to help protect yourself
> from the HTML e-mail attack vector

sounds like a game of bull$h1t bingo to me

> Microsoft Outlook 2002 users who have applied Service Pack 1 or later
> and Outlook Express 6.0 users who have applied Service Pack 1 or later
> can enable a feature that will enable them to view all
> non-digitally-signed e-mail messages or non-encrypted e-mail messages
> in plain text only."
>
> Alan Baxter
> P.S. It's ironic that the originator of this thread is sending HTML
> email.
>

well I may sound digparaging but it is actually a good idea and will work
when people discover that sending html mail and reading plaintext do not
work at all well together.

--
A Pope has a Water Cannon. It is a Water Cannon.
He fires Holy-Water from it. It is a Holy-Water Cannon.
He Blesses it. It is a Holy Holy-Water Cannon.
He Blesses the Hell out of it. It is a Wholly Holy Holy-Water Cannon.
He has it pierced. It is a Holey Wholly Holy Holy-Water Cannon.
He makes it official. It is a Canon Holey Wholly Holy Holy-Water Cannon.

Yes, of course it's the right cabl [le0: NO CARRIER]

--On Friday, February 06, 2004 10:09 AM -0500 Fred <spamassassin@freddyt.com>
wrote:

> Microsoft changes functionality of Internet Explorer to display "Invalid
> Syntax" when using user:pass@domain in a URL.

<http://i-want-a-website.com/about-linux/articles/feb04/zero-click.shtml>