URL Spoofing Patch-Spyware-free RealPlayer

From:         Patrick Douglas Crispen 
Subject:      Tourbus - 6 Feb 04 - URL Spoofing Patch / Spyware-free RealPlayer

TODAY'S TOURBUS STOPS: URL Spoofing Patch / Spyware-free RealPlayer

The Internet Tourbus - U.S. Library of Congress ISSN #1094-2239
Copyright © Bob Rankin and Patrick Crispen - All rights reserved

Howdy, y'all, and greetings once again from deep behind the orange curtain in beautiful Irvine, California, where, at the tone, it will be exactly five o'clock. DING! :P

TOURBUS is made possible by the kind support of our sponsors. Please take a moment to visit today's sponsors and thank them for keeping our little bus of Internet happiness on the road week after week.

On with the show...

Microsoft URL Spoofing Patch Audience: All PC users

Microsoft released a patch (actually, a critical update) for the URL spoofing vulnerability in Internet Explorer we first discussed back in December. [YAY!] To get the patch, just run Windows Update by either choosing Tools > Windows Update in Internet Explorer or pointing your web browser to

http://windowsupdate.microsoft.com/

The patch was issued on Monday, which is kind of odd because Microsoft usually releases critical updates on the second Tuesday of each month.

Now for the bad news. And, if truth be told, this is bad news only if you know what RFC 1738 is.

According to the security bulletin accompanying Microsoft's patch, while the patch fixes Internet Explorer's URL spoofing vulnerability it also "removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer." What does that mean in English? Well, pretend you want to view a web page at example.com but the page requires you to type in a username and password. You have two options:

1. Go to http://www.example.com/ and then manually type in your username and password in the little "enter password" dialog box that pops-up; or

2. Go to http://username:password@example.com/

Notice how, in that second example, the username and password are embedded into example.com's URL? Technically, you shouldn't be able to do that. [RFC 1738 specifically states that usernames and passwords are not allowed in the HTTP URL scheme.] That you *ARE* able to put usernames and passwords in your URLs is actually a bug.

The bad news, if you can call it that, is that Microsoft's patch fixes this bug.

What does this mean to you and me? Absolutely nothing. We can still access every password protected site we have accessed in the past. And if you have Internet Explorer set up so that it remembers passwords for you, Internet Explorer will still remember passwords for you. NOTHING CHANGES... except for our ability to manually embed usernames and passwords into URLs (like http://username:password@example.com/). We can't do that anymore. And that's fine with me. :)

If you want to find out more about Microsoft's latest patch, check out

http://tinyurl.com/2ek3t

This page even has a link to Window Update if you can't access it through Tools > Windows Update. [And, of course, you could always throw away your PC and just get a Mac, a *nix box, or an abacus--I hear the latter is MUCH easier to defrag.]

Happy patching! :)

RealPlayer sans spyware Audience: Everyone

One of the Internet's worst-kept secrets is that RealNetwork's RealPlayer is kind of sort of spyware-like and that many of RealPlayer's optional downloads--the extra stuff you can download when you first get RealPlayer--are full-blown spyware.

Because of that, many people have abandoned RealPlayer and switched to competing programs like RealAlternative at

http://www.majorgeeks.com/download4094.html

RealAlterative is certainly an, um, alternative, but if you are married to keeping RealPlayer on your PC, Mac, or *nix box without it spying on you, there may be hope. My good friend Lee Overstreet recently posted step-by-step instructions on how to download and install RealPlayer on a PC without having it take over your life. Just point your web browser to

http://www.uacomputerhelp.com/

and click on the "Installing Real One Player" link at the bottom of the page. Unfortunately, Lee's instructions don't talk about how to install RealPlayer on a Mac or *nix box and disable its spyware-like features, but with 100,000+ people on our little bus of Internet happiness I am sure someone knows where I can find this information.

If you are using the free version of RealPlayer, chances are you have an old version. Might I suggest you completely uninstall your old version of RealPlayer--for instructions on how to do this on a PC, take a look at http://tinyurl.com/ytzw4--and then follow Lee's instructions to get the newest version?

Better still, you could instead uninstall RealPlayer and then pay a visit to our friends at the BBC.

Huh? Well, this is kind of hard to believe, but according to an anonymous poster to the Boing Boing blog,

The BBC made a unique deal with Real Networks which disposes of their spyware tactics. Basically, if a user clicks on a link to download Real Player from a BBC website, the referrer script sends them to a page where they can download an expiry-free, spyware-free and nuicance-free version of the player. It's because the BBC have such a stringent public service remit, that it was offensive to charge people a license fee for BBC content, then make them pay all over again for the facility to view/listen to it.

You can download the (supposed) non-spyware-like RealPlayer from the beeb at

http://www.bbc.co.uk/radio/audiohelp.shtml?help

Four different versions are available:

1. One for Windows98, 98SE, ME, NT 4, 2000, and XP.

2. One for Mac OS X. [See?! I didn't forget those of you who compute with fruit!] :P

3. One for Windows 95 or Mac OS 8 or 9.

4. One for Solaris 2.6/2.7 or Linux 2.0

The BBC also offers step-by-step installation instructions. Pretty cool, huh? And, to listen to any of the BBC's countless online broadcasts, just hop on over to

http://www.bbc.co.uk/radio/

and click on the station to which you'd like to listen.

Enjoy!

Tourbus Riders, Get Your Free Issue Of PC Today Magazine!

Don't hit your keyboard. Don't bash in your monitor. Don't stomp up and down screaming about how Microsoft Windows has ruined your life. Get PC Today! PC Today is the Ultimate Resource For Windows Users. Click here to get your free trial issue of PC Today now!

---> http://tourbus.com/pctoday.htm <---

That's it for today. Have a safe and happy week and we'll talk again soon!

           .~~~.  ))
 (\__/)  .'     )  ))       Patrick Douglas Crispen
 /o o  \/     .~
{o_,    \    {              crispen@netsquirrel.com
  / ,  , )    \            http://www.netsquirrel.com/ 
  `~  -' \    } ))    AOL Instant Messenger: Squirrel2K
 _(    (   )_.'
---..{____}                  Warning: squirrels.