Hi!

> Anton: Certainly, some links are best left un-clicked, no matter what
> the browser. For example, links in messages in public guest books.

Yes, and some of them shouldn't even be copied & pasted to the address
line... :-)

> But as I understand the problem, the nature of the holes in IE are such
> that you can go to fake site, and there is nothing to suggest that you
> are anywhere else but a legitimate site. That is, in a proper browser,
> the address line would show the complete URL, like say for example, 
> "http://www.ibm.com/%01@xxxxxxxxxxxxxxxxxxxx/fleece-visitor.html."; But
> in IE, you'd see just "http://www.ibm.com/";, and quite possibly you 
> wouldn't think twice when prompted for a customer number or a credit
> card number.

Hm. OK, i now see the problem. There could be sites selling everything
(no need for really existing goods) and tell you that IBM is doing the
credit card processing, or tell that there is a free iSeries waiting
for you at IBM, when you click on this link and log on with your IBM
user-id and password along with a promo-code. Seeing
https://www.ibm.com/promo.nsf?freeiseries could convince me... :-)

Thanks! I will be extremely carefully at IBM now! :-)

> It's just an interesting bit of news that MS *themselves* have said
> that one way to protect yourself from possible exploits is to
> manually cut and paste URL's into the address bar!

I guess they have thought hours before they wrote it. But what else is
left? And the text, as i understand it, deals with surfing the web
*after* you installed all security patches. I don't read it as
work-around. Do you?

One of the safest ways to be not the victim in a plane accident is to
never fly in your life. But even then a plane could fall on your
head...

> Anyways, AFAIK, MS is planning on /eventually/ releasing fixes for the
> recently disclosed holes, including disallowing '@' in URL's, a feature
> that's not commonly used anyways. Before that happens, take this as a
> good motivator to install and use a decent browser, like Mozilla. It
> used to be that IE was the leading edge in browser technology. But now
> that's no longer true.

Yep, M$ seems to hold it until the patent issue concerning
user-interventionless embedding is finished and other things are gone.

And i don't think that they really have much interest in it any more.
The mass of users seems to use the browser (& email program) that came
with their OS and don't update it. So i guess we won't see anything
before the next OS (try). (And if there aren't millions of new users
all the time, they aren't learning from their errors, otherwise the
latest virii wouldn't have such a population :-)

And of course i use Mozilla. I guess i can't live any longer without
the web developer's toolbar and Live HTTP headers! :-) A customer even
insisted in M$ IE and Mozilla (nothing else :-) and strictly forbid
the use of JavaScript.

> Cheers! Hans

Good idea! Cheers!

-- 
Mit freundlichen Grüssen / best regards

Anton Gombkötö
Organisation und Projektleitung

Avenum Technologie GmbH
Wien - Salzburg - Stuttgart
http://www.avenum.com




As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.