Microsoft has taken a drastic step to prevent Explorer from being undermined by security holes by cuttng an internet standard out of its browser.
The software giant has not disclosed when its “patch” - but more accurately described as a “limiter” - will be made available, but it has said that it will prevent people from automatically logging into a website using just the browser’s address line.
The original problem has been used to make web users think they are visiting one site when they are at another. This is done by twisting the internet standard that allows you to sign into a website with a password and username using just a single address line of the form: http(s)://username:firstname.lastname@example.org.
By replacing the “username:password” part with a website name such as “www.computerweekly.com” and put it as a link in an e-mail of on a website, it looks to the user as if the link leads to ComputerWeekly but actually leads to website.com.
This simple ploy has been used to con people all over the world by making them think they are visiting trusted sites including PayPal and eBay.
Microsoft has acknowleged this issue and said it will produce a fix before the idea of Explorer as a liability gathered mainstream momentum.
Microsoft has been criticised for not introducing a fix for this problem last month, leading many to believe it was not fixable.
Other browsers have the same issue with spoofed addresses. Mozilla has also yet to find a solution, while Opera throws up a warning box if it believes it may be a spoofed address.
Kieran McCarthy writes for Techworld.com