lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <40E6E5FF.9410.2AF91BD2@localhost>
Date: Sat, 03 Jul 2004 16:59:43 +1200
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM, BUGTRAQ@...URITYFOCUS.COM,
   FULL-DISCLOSURE@...ts.netsys.com
Subject: What a difference a char makes...


MS does it again...

I'm not sure whether to laugh or cry.

   http://www.microsoft.com/security/incident/Download_Ject.mspx

   ...

   Actions for Home Users

   ...

   2. Check for Infection

   ...

      3.  At the command prompt, type:
          dir /a /s /b &systemdrive%\kk32.dll
          and then press the ENTER key to search your
          computer.
          If the file is present, the file path is displayed. If
          the file is not present, a message is displayed
          that the system cannot find the path.

There's no prize for spotting the typo, nor for guessing what your 
typical home user's reaction will be if they actually follow this 
"advice".

On reflection, perhaps there should be a prize for the latter, as 
accurately guessing that could be quite tricky.  Due to the error 
(repeated in step 4 -- the glories of cut'n'paste...) the user will 
receive a possibly quite long directory listing (after all, at least on 
Win2K and XP the default directory for the command prompt will be the 
current user's "homepath" directory which houses, by default, as one of 
its many sub-directories, IE's TIF) followed by the message, as the 
very last line of output:

   The system cannot find the path specified.

...

Does MS not employ technical writers?

What about tech reviewers?

What about the age-old publishing concept of having some vaguely 
clueful person _who had nothing to do with the generation or layout of 
the content_ look critical new web pages over before "publishing" them? 
OK, so this is "the web", but critical information still does not 
deserve an attitude of "it's just the web", does it?

The odd spelling mistake on the Office or IIS marketing pages we may 
accept, but getting something so badly wrong that anyone with two days 
experience of real system administration would spot in an eye-blink 
_AND_ with such potentially confusing results is pretty darn shoddy 
even by MS' own long history of shoddy security standards...

Could it be worse?  Well, the page has not been posted long enough for 
Google to have indexed it, yet...

I wonder when the first softie would have noticed this??

...

One final observation, ignoring that "&" has to be escaped in HTML 
markup (encoded as an HTML entity in this case), this is actually the 
very smallest of computer errors.  I said "What a difference a char 
makes..." in my Subject: line, but this is really just a single bit 
error, as "%" is 0x25 and "&" 0x26.

Would it be too unkind to conclude that MS doesn't care one bit about 
accuracy?


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ