| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.21.0403122314570.22407-100000@kcisp2> From: mikehome at kcisp.net (Mike Barushok) Subject: Re: MS Security Response is a bunch of half-witted morons On Fri, 12 Mar 2004, Troy wrote: > On Fri, 12 Mar 2004 16:09:21 -0500, jim_walsh@...dyear.com wrote: > > > Your points are well taken and understandable. But if you are supporting > > a M$ operating system enough to need to read the SB's, then wouldnt your > > IE be up to date to read them? Even if you would just use IE to read M$'s > > site? To sit and scream about web design decisions in this mailing group > > seems a little childish. And if one was to argue that "Aanyone needs to > > read these articles not just people that support M$ OS's", well to > > that...most people that have a M$ OS as an end user have auto update > > turned on and dont even think twice about it...if they update at all. > > I took Nick's comments differently. The way I understood it, the problem > is that Microsoft forces you to use a scripting language to read a > security article. A scripting language could have security problems. As > a result, many people have JavaScript disabled for security reasons, > regardless of their version of IE. > > I agree with Nick. It is ironic and unfortunate that MS would force > users to turn on a potentially unsafe scripting language to read a > security bulletin. I agree (mostly), and even worse is when one views the source, navigates to the links, finds the meat of the article, where it suggests a work around for some news flaw of 'disable scripting in your browser'! (A Cisco advisory about a year and one-half ago IIRC). I only throw in the 'mostly' because while I agree with the point of the OP, I do recognize that Microsoft does not 'force' anyone to use scripting, they are only making it difficult for the average Aunt Tilly to comprehend what security settings are 'best practice' and which are paranoid, and what functionality the user should reasonably expect to lose by being more 'safe'. There have been lots of third parties advising that uninstalling WSH on Win98 was an excellent idea until around the time that some script on WindowsUpdate called it directly so one had to choose between re-installing WSH or never getting updates. And apparently WSH was only being invoked for some time elapsed display or something equally trivial, yet the 'checking for updates' would not complete without it. Is there no way to suggest to Microsoft that the wording when scripting is set to prompt that 'scripts are usually safe' is misleading and unuseful? I mean some way that they might sit up and take notice of? At one time it seemed like at least government web sites were trying their hardest to avoid requiring or suggesting cookies or scripting, but lately they too have mostly gone over to the dark side. I am told that if scripting is set to 'prompt for action' (or whatever it calls it), in IE on Windows, that Outlook Express suggests that thing about scripts usually being safe, .. twice, (if you say no) when opened, yet no apparent difference in functionality can be discerned. So either OE has just a nuisance reminder that you have set scripting security to ask, or their is some not fully observable reason that OE is running a script. Does anyone know what script(s) OE is loading when it is opened?
Powered by blists - more mailing lists