Marco Trova's weblog

Italian .NET life

Other MS04-004 Cumulative Security Update for Internet Explorer effects..

I found that I am not the only one with problems with this patch.

Fiat, the italian motor company, has registered a perfectly legal  the www.buy@fiat.com domain, to support his marketing e-commerce campain..

Now, if you point your patched Internet Explorer Browser to the http://www.buy@fiat.com address, you obtain an error.. Firefox rendering is fine..

This patch corrects some security issues, but introduces other side-effects..

The same things we will encounter on the new Windows XP SP2..

 

Posted: Mar 07 2004, 03:52 PM by trovam | with 6 comment(s)

Comments

Mauricio Feijo said:

I see the issue, but this situation makes me think: Is it good practice to have such a domain name, when @ is so widely used for emails addresses? Legal, yes, but not something that I would do.
# March 7, 2004 10:00 AM

Marco Trova said:

Fiat has made investments to support their campaign.. Mkt people usually drive these type of bad decisions..

But, do Microsoft have thinked if this patch could affect to existing applications and sites?
# March 7, 2004 10:08 AM

Lorenzo Barbieri said:

I don't think that www.buy@fiat.com is a perfectly legal domain...

fiat.com is, www.buy@ is a hack...

I think that they've made the modification to avoid other problems related to this feature.
The patch (for the address bar spoofing) works also is the registry hack is applied... I think that they've a lot of fear for other types of bugs related to this feature...

I've also had a lot of problems with this patch... but only with automated systems... I've never relied on it for user authentication.

Ciao!
# March 7, 2004 10:32 AM

Raymond Chen said:

If you look in the WHOIS database, there is no entry for buy@fiat.com, which is expected since @ is not a legal DNS character: RFC952 says 'A "name" (Net, Host, Gateway, or Domain name) is a text string up to 24 characters drawn from the alphabet (A-Z), digits (0-9), minus sign (-), and period (.).'

Using @ to represent a userid was never legal. RC1738 permits @ notation for ftp urls but not for http. Section 3.3 says "No user name or password is allowed."
# March 7, 2004 11:02 AM

Marco Trova said:

I don't know if the domain was made with a hack.. but this patch has had an economic effect..

What there is to comment is the method used by Microsoft.

From Simon Willison's Weblog (http://simon.incutio.com/archive/2004/01/30/noMoreUsernames):
"There's an interesting contrast to be made here between open and closed development methodologies. The Mozilla project has had a bug open on this issue http://bugzilla.mozilla.org/show_bug.cgi?id=122445 for over two years, which has drawn over 170 comments with plenty of great ideas but no approved solution. Microsoft on the other hand have remained silent on the issue until (we can only assume) the bad publicity surrounding it forced them to act, at which point they announced a fix that appears to gly in the face of commonly accepted web standards - but does undoubtedly solve the problem. Of course, with no chance for user feedback prior to the decision it amounts to little less than a decree from God - which correlates directly to their inarguable domination of the browser market, at least in terms of market share."

Other comments:
IE security patch nixes some apps
http://news.com.com/2100-7355_3-5153534.html
# March 7, 2004 11:53 AM

TrackBack said:

^_^,Pretty Good!
# April 9, 2005 11:29 PM
Leave a Comment

(required) 

(required) 

(optional)

(required)