Fog Creek Software
Discussion Board




Windows Security

http://www.theregister.co.uk/content/55/34863.html

personally I believe Bill gates is just having a joke with us all, one day soon hes going to release a statement saying something like:

Over the last few years we have been carrying out an experiment into the minimum level of security consumers will accept in their daily lives.
Interestingly it was somewhat lower than we anticipated....

wont _someone_ think of the children?
Thursday, January 15, 2004

"wont _someone_ think of the children?"

In this paranoid day and age it would probably get you arrested.


Thursday, January 15, 2004

I don't know much about the windows apis.  Why would this component just arbitrarily not display anythign after that character appears?  Don't they use this component for anythign else, or is it custom for IE?

Name withheld out of cowardice
Thursday, January 15, 2004

The exploit as given in "The Register" doesn't work. Whethter that is the result of security or incompetence I don't know.

Stephen Jones
Thursday, January 15, 2004

I think that some call they make to scan the url just stops at the first instance of a string ending character.  i.e. '\0'.  Depending on what libraries they're using to read the location bar, it could be hard to fix.  How many people design string processing libraries that handle null characters within a string?

Andrew Hurst
Thursday, January 15, 2004

>How many people design string processing
>libraries that handle null characters within
>a string?

I think the point is more that you should have the same processing in both cases.  The address bar treats it as
www.somesite.com
while the call to retrieve the site treats it as
www.somesite.com%01@www.realsite.com

If they were consitent there would be much less of a problem.  Obviously they have two different string processing routines.  I wonder what the hover tooltip says?

Dave
Thursday, January 15, 2004

>>
personally I believe Bill gates is just having a joke with us all, one day soon hes going to release a statement saying something like:
<<

It's more likely that the Register is just having a joke with "us all", wondering how many people they can get to believe whatever they say.  Did you actually try the exploit they described?  At least with the version of IE I'm using (the latest IE 6), the full URL is displayed in the address bar as well as the status bar. 

SomeBody
Thursday, January 15, 2004

The biggest oxymoron of our times:
Windows Security!

Ritesh Mangal
Friday, January 16, 2004

"At least with the version of IE I'm using (the latest IE 6), the full URL is displayed in the address bar as well as the status bar. "


oh.  well cearly there is no problem here then, if it works on your machine.

sorry guys, false alarm, no security breach here.  it was tested by one person on their computer and it doesn't work there.


kind of a relief really :)

FullNameRequired
Friday, January 16, 2004

*  Recent Topics

*  Fog Creek Home