MS web designers -- "What Security Initiative?"

To: bugtraq@xxxxxxxxxxxxxxxxx, ntbugtraq@xxxxxxxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxx
Subject: MS web designers -- "What Security Initiative?"
From: Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx>
Date: Sat, 12 Jun 2004 22:23:31 +1200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Personal account
Priority: normal
Reply-to: nick@xxxxxxxxxxxxxxxxxxx

The MS Security Initiative is an utter sham.

I commented on the uselessness of the "new, improved" MS Security 
Bulletin web pages when they were "upgraded" to .mspx form.  In doing 
so I rather rudely pinned the blame for the unusability of the new 
Security Bulletin pages on the MSRC staff -- as subsequent Email from 
MSRC confirmed, they simply provide the content which is then served to 
the world at the whim of one or other of MS' web design teams.

And, to give them their dues, they "fixed" those pages so "weird" folk 
like me whose security sensibilities require surfing with scripting 
disabled could actually read all the content of those pages without 
having to resort to the ugliness and inconvenience of source viewing 
and the like.  (Of course, they had to do it in such a way that the 
original, security-antagonistic "improved features" -- mainly of the 
"flying pink elephant" kind -- were retained, thereby increasing the 
size and complexity of all those pages...)  Singling out MSRC for the 
blame in that case at least had a chance of getting it fixed so a 
resource I have to use was at least usefully usable again.

For reasons I now forget, I never got around to the follow-up post on 
much the same issues as they were present in the "Order the Windows 
Security Update CD" page -- the page is designed to be unusable unless 
you have scripting enabled in your browser (from memory it used a 
script to submit the initial stage of the order form -- choosing the 
country your ordered CD was to be delivered to).  I know scripting is 
enabled by default in the joke of a program that passes for a web 
browser in a default Windows installation, but why do MS web designers 
assume the rest of the world is as security antagonistic (or perhaps 
just as security ignorant?) as they themselves are?

Anyway, the reason for today's swing at MS' web designers -- spam.

I just had occasion to attempt to revisit a bookmarked MS-hosted page 
dealing with spam, specifically:

   http://www.microsoft.com/mind/1299/spam/spam.htm

Imagine my surprise when an apparently successful page load resulted in 
an entirely blank window...  From viewing the page source the problem 
was apparent -- aside from the the minimum structural requirements of a 
proper HTML page, the page consisted solely of a script tag that pulls 
in its content from:

   http://www.microsoft.com/mind/mind.js

In turn that is a simple script that lowercases the URI of its 
container page (which is the .../spam.htm URI from above because the 
script is included into that page's "head" section), searches that for 
the last instance of ".htm", replacing it with ".asp" then does a 
window.parent.location.replace to redirect the page.  With scripting 
enabled the result of trying to visit the original target URI is a near 
instant redirect to:

   http://www.microsoft.com/mind/1299/spam/spam.asp

Independent of the gross stupidity of assuming everyone is dumb enough 
to browse with scripting enabled that this entails, it also strikes me 
as terribly inefficient from the user's perspective (but maybe that's 
an issue you're unlikely to be able to convince the staff of the 
wealthiest company on Earth, who all sit on fast network connections 
and would rather save a few grand by not adding a box or two more to 
the server farm by pushing out stupid little script pages to get their 
web visitors to use network bandwidth and their own CPU power to 
calculate web redirects on MS' behalf).

Was it really too much work to remap all the ".htm" content under the 
http://www.microsoft.com/mind/ tree to ".asp"??

Of course, the observant among you will have noticed that the above 
page has not yet been converted to ".mspx" format and still languishes 
as a ".asp".

Believe it or not, things may yet get sillier...

For ages I have told less technical folk (especially SOHO types) asking 
for such advice that they should visit www.microsoft.com/security -- 
following my own advice the other day in the need to check something 
out, imagine my surprise when an apparently successful page load 
resulted in an entirely blank window...

I guess it is not that surprising now, eh?

As best I can tell, requesting that URI results in what is actually:

   http://www.microsoft.com/security/default.asp

being served.

Guess what?  That page consists solely of an absolutely minimal set of 
HTML tags and the one-line script:

   window.location.replace("/security/default.mspx")

intended to redirect script-enabled users to:

   http://www.microsoft.com/security/default.mspx

while leaving scriptless visitors staring at a blank page.

The obvious first question is why is the server still configured to 
serve default.asp, rather than default.mspx, when asked for 
http://www.microsoft.com/security/?  Sure, keep a default.asp page with 
some kind of redirection in place to handle all those bookmark and link 
references that originally included the "default.asp" part of the URI 
path, but why leave the server config to treat that as the default page 
to serve for that URI?  Second, if you must redirect, as above, why do 
it purely using client-side script?

...

All this _recent_ script nonsense is clearly antithetical to Billy 
Boy's close to 2.5 year old dictate that security must trump featuritis 
in MS products and services.  Is 28 months not enough time to hammer 
into the web designers at MS the basic idea that assuming client-side 
scripting is enabled across the the board is both stupid and 
antithetical to the company's much vaunted (though seemingly worthless) 
"Security Initiative"?  The continued appearance of new web pages that 
require client-side scripting be enabled for the page to have _any_ 
utility at all, _especially_ when there are better non-script 
alternatives suggests that those who design and provide the most public 
face of MS -- its web site -- not only have not yet got the picture, 
but have no idea that the frame of reference was changed more than two 
years ago...

Don't get me wrong -- folk who want or, <shiver> "need", to see the 
pink flying elephant "features" as most welcome to them, along with all 
the horrendous security vulnerability exploits that are so much easier 
in script-enabled browsers.  More power to them -- heck, they ensure we 
have a job...  But for pity's sake, why are MS' web designers _still_ 
designing pages that require scripting where simple "submit", "href" 
and such other _basic_ HTML concepts will provide the same level of 
functionality for the main purpose of "bread and butter" web browsing
-- information presentation???

At the outset of the Security Initiative the skeptics largely said 
"it's a marketing ploy", but its defenders said "it will take time for 
the real results to be seen".  As the weeks turned into months and now 
years and little has been seen to have improved (and some very public 
things to have gone backwards), it seems increasingly that the skeptics 
may have been right...


Regards,

Nick FitzGerald

Prev by Date: Re: Potential Security Flaw in Symantec Gateway Security 360R
Next by Date: [FMADV] Subversion <= 1.04 Heap Overflow
Previous by thread: Multiple vulnerabilities in RealPlayer (#NISR11062004)
Next by thread: Re: MS web designers -- "What Security Initiative?"
Index(es):
- Date
- Thread