So, when I click on the following using my Firebird browser...
The URL window at the destination website reads as follows:
http://windowsupdate.microsoft.com%01@security.openwares.org/Update.htm
I'm trying to understand how this is strictly an IE flaw... honestly I am.
Let's try the time-honored technique of arranging these URLs one below the other, to see if we can discern any difference between them.
| Firebird | http://windowsupdate.microsoft.com%01@security.openwares.org/Update.htm |
| IE | http://windowsupdate.microsoft.com |
Firebird displays the URL that it was told to display. It was "redirected" by an HTTP header to bounce off the site at hail.he.net and go instead to "http://windowsupdate.microsoft.com%01@security.openwares.org". It is therefore doing what it was told to do, and correctly reporting what it was told to do.
Given the same redirection command, IE also does what it was told to do, but it does not tell the user what that was. Instead it tells the user that he is at windowsupdate.microsoft.com, which is not so.
It is probably true that there are people out there who cannot tell these URLs apart, but there are other people who would notice it, and who would smell a rat if they saw that funny-looking thing in the URL window. IE gives them no opportunity to exercise such caution, because it gives them no warning that anything is wrong.
This is how "idiot lights" in cars happened. There were people out there who had no idea that when the little needle on the oil pressure gauge went limp, the engine was minutes if not seconds away from blowing out. But it was not a flaw in the car that the person did not know this. But it would be a flaw if the gauge read normal when in fact the oil pressure was zero. That's what we have here.
Anyway, there's a patch out there for it now, so if people want to make this go away, they can.