Other MS04-004 Cumulative Security Update for Internet Explorer effects..

re:Other MS04-004 Cumulative Security Update for Internet Explorer effects..

TrackBack — Sun, 10 Apr 2005 03:29:00 GMT

^_^,Pretty Good!

re: Other MS04-004 Cumulative Security Update for Internet Explorer effects..

Marco Trova — Sun, 07 Mar 2004 16:53:00 GMT

I don't know if the domain was made with a hack.. but this patch has had an economic effect..

What there is to comment is the method used by Microsoft.

From Simon Willison's Weblog (http://simon.incutio.com/archive/2004/01/30/noMoreUsernames):
"There's an interesting contrast to be made here between open and closed development methodologies. The Mozilla project has had a bug open on this issue http://bugzilla.mozilla.org/show_bug.cgi?id=122445 for over two years, which has drawn over 170 comments with plenty of great ideas but no approved solution. Microsoft on the other hand have remained silent on the issue until (we can only assume) the bad publicity surrounding it forced them to act, at which point they announced a fix that appears to gly in the face of commonly accepted web standards - but does undoubtedly solve the problem. Of course, with no chance for user feedback prior to the decision it amounts to little less than a decree from God - which correlates directly to their inarguable domination of the browser market, at least in terms of market share."

Other comments:
IE security patch nixes some apps
http://news.com.com/2100-7355_3-5153534.html

re: Other MS04-004 Cumulative Security Update for Internet Explorer effects..

Raymond Chen — Sun, 07 Mar 2004 16:02:00 GMT

If you look in the WHOIS database, there is no entry for buy@fiat.com, which is expected since @ is not a legal DNS character: RFC952 says 'A "name" (Net, Host, Gateway, or Domain name) is a text string up to 24 characters drawn from the alphabet (A-Z), digits (0-9), minus sign (-), and period (.).'

Using @ to represent a userid was never legal. RC1738 permits @ notation for ftp urls but not for http. Section 3.3 says "No user name or password is allowed."

re: Other MS04-004 Cumulative Security Update for Internet Explorer effects..

Lorenzo Barbieri — Sun, 07 Mar 2004 15:32:00 GMT

I don't think that www.buy@fiat.com is a perfectly legal domain...

fiat.com is, www.buy@ is a hack...

I think that they've made the modification to avoid other problems related to this feature.
The patch (for the address bar spoofing) works also is the registry hack is applied... I think that they've a lot of fear for other types of bugs related to this feature...

I've also had a lot of problems with this patch... but only with automated systems... I've never relied on it for user authentication.

Ciao!

re: Other MS04-004 Cumulative Security Update for Internet Explorer effects..

Marco Trova — Sun, 07 Mar 2004 15:08:00 GMT

Fiat has made investments to support their campaign.. Mkt people usually drive these type of bad decisions..

But, do Microsoft have thinked if this patch could affect to existing applications and sites?

re: Other MS04-004 Cumulative Security Update for Internet Explorer effects..

Mauricio Feijo — Sun, 07 Mar 2004 15:00:00 GMT

I see the issue, but this situation makes me think: Is it good practice to have such a domain name, when @ is so widely used for emails addresses? Legal, yes, but not something that I would do.