[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <40CB8263.18297.7605685C@localhost>
Date: Sat, 12 Jun 2004 22:23:31 +1200
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: bugtraq@...urityfocus.com, ntbugtraq@...tserv.ntbugtraq.com,
full-disclosure@...ts.netsys.com
Subject: MS web designers -- "What Security Initiative?"
The MS Security Initiative is an utter sham.
I commented on the uselessness of the "new, improved" MS Security
Bulletin web pages when they were "upgraded" to .mspx form. In doing
so I rather rudely pinned the blame for the unusability of the new
Security Bulletin pages on the MSRC staff -- as subsequent Email from
MSRC confirmed, they simply provide the content which is then served to
the world at the whim of one or other of MS' web design teams.
And, to give them their dues, they "fixed" those pages so "weird" folk
like me whose security sensibilities require surfing with scripting
disabled could actually read all the content of those pages without
having to resort to the ugliness and inconvenience of source viewing
and the like. (Of course, they had to do it in such a way that the
original, security-antagonistic "improved features" -- mainly of the
"flying pink elephant" kind -- were retained, thereby increasing the
size and complexity of all those pages...) Singling out MSRC for the
blame in that case at least had a chance of getting it fixed so a
resource I have to use was at least usefully usable again.
For reasons I now forget, I never got around to the follow-up post on
much the same issues as they were present in the "Order the Windows
Security Update CD" page -- the page is designed to be unusable unless
you have scripting enabled in your browser (from memory it used a
script to submit the initial stage of the order form -- choosing the
country your ordered CD was to be delivered to). I know scripting is
enabled by default in the joke of a program that passes for a web
browser in a default Windows installation, but why do MS web designers
assume the rest of the world is as security antagonistic (or perhaps
just as security ignorant?) as they themselves are?
Anyway, the reason for today's swing at MS' web designers -- spam.
I just had occasion to attempt to revisit a bookmarked MS-hosted page
dealing with spam, specifically:
http://www.microsoft.com/mind/1299/spam/spam.htm
Imagine my surprise when an apparently successful page load resulted in
an entirely blank window... From viewing the page source the problem
was apparent -- aside from the the minimum structural requirements of a
proper HTML page, the page consisted solely of a script tag that pulls
in its content from:
http://www.microsoft.com/mind/mind.js
In turn that is a simple script that lowercases the URI of its
container page (which is the .../spam.htm URI from above because the
script is included into that page's "head" section), searches that for
the last instance of ".htm", replacing it with ".asp" then does a
window.parent.location.replace to redirect the page. With scripting
enabled the result of trying to visit the original target URI is a near
instant redirect to:
http://www.microsoft.com/mind/1299/spam/spam.asp
Independent of the gross stupidity of assuming everyone is dumb enough
to browse with scripting enabled that this entails, it also strikes me
as terribly inefficient from the user's perspective (but maybe that's
an issue you're unlikely to be able to convince the staff of the
wealthiest company on Earth, who all sit on fast network connections
and would rather save a few grand by not adding a box or two more to
the server farm by pushing out stupid little script pages to get their
web visitors to use network bandwidth and their own CPU power to
calculate web redirects on MS' behalf).
Was it really too much work to remap all the ".htm" content under the
http://www.microsoft.com/mind/ tree to ".asp"??
Of course, the observant among you will have noticed that the above
page has not yet been converted to ".mspx" format and still languishes
as a ".asp".
Believe it or not, things may yet get sillier...
For ages I have told less technical folk (especially SOHO types) asking
for such advice that they should visit www.microsoft.com/security --
following my own advice the other day in the need to check something
out, imagine my surprise when an apparently successful page load
resulted in an entirely blank window...
I guess it is not that surprising now, eh?
As best I can tell, requesting that URI results in what is actually:
http://www.microsoft.com/security/default.asp
being served.
Guess what? That page consists solely of an absolutely minimal set of
HTML tags and the one-line script:
window.location.replace("/security/default.mspx")
intended to redirect script-enabled users to:
http://www.microsoft.com/security/default.mspx
while leaving scriptless visitors staring at a blank page.
The obvious first question is why is the server still configured to
serve default.asp, rather than default.mspx, when asked for
http://www.microsoft.com/security/? Sure, keep a default.asp page with
some kind of redirection in place to handle all those bookmark and link
references that originally included the "default.asp" part of the URI
path, but why leave the server config to treat that as the default page
to serve for that URI? Second, if you must redirect, as above, why do
it purely using client-side script?
...
All this _recent_ script nonsense is clearly antithetical to Billy
Boy's close to 2.5 year old dictate that security must trump featuritis
in MS products and services. Is 28 months not enough time to hammer
into the web designers at MS the basic idea that assuming client-side
scripting is enabled across the the board is both stupid and
antithetical to the company's much vaunted (though seemingly worthless)
"Security Initiative"? The continued appearance of new web pages that
require client-side scripting be enabled for the page to have _any_
utility at all, _especially_ when there are better non-script
alternatives suggests that those who design and provide the most public
face of MS -- its web site -- not only have not yet got the picture,
but have no idea that the frame of reference was changed more than two
years ago...
Don't get me wrong -- folk who want or, <shiver> "need", to see the
pink flying elephant "features" as most welcome to them, along with all
the horrendous security vulnerability exploits that are so much easier
in script-enabled browsers. More power to them -- heck, they ensure we
have a job... But for pity's sake, why are MS' web designers _still_
designing pages that require scripting where simple "submit", "href"
and such other _basic_ HTML concepts will provide the same level of
functionality for the main purpose of "bread and butter" web browsing
-- information presentation???
At the outset of the Security Initiative the skeptics largely said
"it's a marketing ploy", but its defenders said "it will take time for
the real results to be seen". As the weeks turned into months and now
years and little has been seen to have improved (and some very public
things to have gone backwards), it seems increasingly that the skeptics
may have been right...
Regards,
Nick FitzGerald
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists