[Full-Disclosure] MS web designers -- "What Security Initiative?"

From: Nick FitzGerald (nick_at_VIRUS-L.DEMON.CO.UK)
Date: 06/12/04

  • Next message: James D. Stallard: "Doubleclick programs entry on start menu"
    Date:         Sat, 12 Jun 2004 22:23:31 +1200
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    The MS Security Initiative is an utter sham.

    I commented on the uselessness of the "new, improved" MS Security
    Bulletin web pages when they were "upgraded" to .mspx form. In doing
    so I rather rudely pinned the blame for the unusability of the new
    Security Bulletin pages on the MSRC staff -- as subsequent Email from
    MSRC confirmed, they simply provide the content which is then served to
    the world at the whim of one or other of MS' web design teams.

    And, to give them their dues, they "fixed" those pages so "weird" folk
    like me whose security sensibilities require surfing with scripting
    disabled could actually read all the content of those pages without
    having to resort to the ugliness and inconvenience of source viewing
    and the like. (Of course, they had to do it in such a way that the
    original, security-antagonistic "improved features" -- mainly of the
    "flying pink elephant" kind -- were retained, thereby increasing the
    size and complexity of all those pages...) Singling out MSRC for the
    blame in that case at least had a chance of getting it fixed so a
    resource I have to use was at least usefully usable again.

    For reasons I now forget, I never got around to the follow-up post on
    much the same issues as they were present in the "Order the Windows
    Security Update CD" page -- the page is designed to be unusable unless
    you have scripting enabled in your browser (from memory it used a
    script to submit the initial stage of the order form -- choosing the
    country your ordered CD was to be delivered to). I know scripting is
    enabled by default in the joke of a program that passes for a web
    browser in a default Windows installation, but why do MS web designers
    assume the rest of the world is as security antagonistic (or perhaps
    just as security ignorant?) as they themselves are?

    Anyway, the reason for today's swing at MS' web designers -- spam.

    I just had occasion to attempt to revisit a bookmarked MS-hosted page
    dealing with spam, specifically:

       http://www.microsoft.com/mind/1299/spam/spam.htm

    Imagine my surprise when an apparently successful page load resulted in
    an entirely blank window... From viewing the page source the problem
    was apparent -- aside from the the minimum structural requirements of a
    proper HTML page, the page consisted solely of a script tag that pulls
    in its content from:

       http://www.microsoft.com/mind/mind.js

    In turn that is a simple script that lowercases the URI of its
    container page (which is the .../spam.htm URI from above because the
    script is included into that page's "head" section), searches that for
    the last instance of ".htm", replacing it with ".asp" then does a
    window.parent.location.replace to redirect the page. With scripting
    enabled the result of trying to visit the original target URI is a near
    instant redirect to:

       http://www.microsoft.com/mind/1299/spam/spam.asp

    Independent of the gross stupidity of assuming everyone is dumb enough
    to browse with scripting enabled that this entails, it also strikes me
    as terribly inefficient from the user's perspective (but maybe that's
    an issue you're unlikely to be able to convince the staff of the
    wealthiest company on Earth, who all sit on fast network connections
    and would rather save a few grand by not adding a box or two more to
    the server farm by pushing out stupid little script pages to get their
    web visitors to use network bandwidth and their own CPU power to
    calculate web redirects on MS' behalf).

    Was it really too much work to remap all the ".htm" content under the
    http://www.microsoft.com/mind/ tree to ".asp"??

    Of course, the observant among you will have noticed that the above
    page has not yet been converted to ".mspx" format and still languishes
    as a ".asp".

    Believe it or not, things may yet get sillier...

    For ages I have told less technical folk (especially SOHO types) asking
    for such advice that they should visit www.microsoft.com/security --
    following my own advice the other day in the need to check something
    out, imagine my surprise when an apparently successful page load
    resulted in an entirely blank window...

    I guess it is not that surprising now, eh?

    As best I can tell, requesting that URI results in what is actually:

       http://www.microsoft.com/security/default.asp

    being served.

    Guess what? That page consists solely of an absolutely minimal set of
    HTML tags and the one-line script:

       window.location.replace("/security/default.mspx")

    intended to redirect script-enabled users to:

       http://www.microsoft.com/security/default.mspx

    while leaving scriptless visitors staring at a blank page.

    The obvious first question is why is the server still configured to
    serve default.asp, rather than default.mspx, when asked for
    http://www.microsoft.com/security/? Sure, keep a default.asp page with
    some kind of redirection in place to handle all those bookmark and link
    references that originally included the "default.asp" part of the URI
    path, but why leave the server config to treat that as the default page
    to serve for that URI? Second, if you must redirect, as above, why do
    it purely using client-side script?

    ...

    All this _recent_ script nonsense is clearly antithetical to Billy
    Boy's close to 2.5 year old dictate that security must trump featuritis
    in MS products and services. Is 28 months not enough time to hammer
    into the web designers at MS the basic idea that assuming client-side
    scripting is enabled across the the board is both stupid and
    antithetical to the company's much vaunted (though seemingly worthless)
    "Security Initiative"? The continued appearance of new web pages that
    require client-side scripting be enabled for the page to have _any_
    utility at all, _especially_ when there are better non-script
    alternatives suggests that those who design and provide the most public
    face of MS -- its web site -- not only have not yet got the picture,
    but have no idea that the frame of reference was changed more than two
    years ago...

    Don't get me wrong -- folk who want or, <shiver> "need", to see the
    pink flying elephant "features" as most welcome to them, along with all
    the horrendous security vulnerability exploits that are so much easier
    in script-enabled browsers. More power to them -- heck, they ensure we
    have a job... But for pity's sake, why are MS' web designers _still_
    designing pages that require scripting where simple "submit", "href"
    and such other _basic_ HTML concepts will provide the same level of
    functionality for the main purpose of "bread and butter" web browsing
    -- information presentation???

    At the outset of the Security Initiative the skeptics largely said
    "it's a marketing ploy", but its defenders said "it will take time for
    the real results to be seen". As the weeks turned into months and now
    years and little has been seen to have improved (and some very public
    things to have gone backwards), it seems increasingly that the skeptics
    may have been right...

    Regards,

    Nick FitzGerald

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    -----
    NTBugtraq Editor's Note:

    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you''ll have to copy their email address out of the message and place it in your TO: field.
    -----


  • Next message: James D. Stallard: "Doubleclick programs entry on start menu"

    Relevant Pages

    • MS web designers -- "What Security Initiative?"
      ... I commented on the uselessness of the "new, improved" MS Security ... like me whose security sensibilities require surfing with scripting ... the reason for today's swing at MS' web designers -- spam. ... window.parent.location.replace to redirect the page. ...
      (Bugtraq)
    • [Full-Disclosure] MS web designers -- "What Security Initiative?"
      ... I commented on the uselessness of the "new, improved" MS Security ... like me whose security sensibilities require surfing with scripting ... the reason for today's swing at MS' web designers -- spam. ... window.parent.location.replace to redirect the page. ...
      (Full-Disclosure)
    • MS web designers -- "What Security Initiative?"
      ... I commented on the uselessness of the "new, improved" MS Security ... like me whose security sensibilities require surfing with scripting ... the reason for today's swing at MS' web designers -- spam. ... window.parent.location.replace to redirect the page. ...
      (Full-Disclosure)
    • IE scripting Vulnerabilities
      ... The object property of embedded WebBrowser controls is not subject to the Cross Domain security checks that embedded HTML documents ordinarily go through, and as such it is possible to escape any sandboxing and security zone restrictions. ... Any document can extend the properties exposed by the OBJECT element, and any namespace conflicts are handled by querying the object property which is a duplicate reference to the embedded document. ... Disable ActiveX by Setting "Script ActiveX controls marked safe for scripting" to Prompt or Disable. ...
      (NT-Bugtraq)
    • [Full-Disclosure] RE: SQL Slammer doing the rounds again?
      ... > direct access to a SQL server across whatever network they're installed ... described is not "a valid business reason". ... whose expertise is making widgets not computer security. ... Or the web designers may be seen as "creative geniuses" whose flashy, ...
      (Full-Disclosure)