Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

What a difference a char makes...
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sat, 03 Jul 2004 16:59:43 +1200

MS does it again...

I'm not sure whether to laugh or cry.

   http://www.microsoft.com/security/incident/Download_Ject.mspx

   ...

   Actions for Home Users

   ...

   2. Check for Infection

   ...

      3.  At the command prompt, type:
          dir /a /s /b &systemdrive%\kk32.dll
          and then press the ENTER key to search your
          computer.
          If the file is present, the file path is displayed. If
          the file is not present, a message is displayed
          that the system cannot find the path.

There's no prize for spotting the typo, nor for guessing what your 
typical home user's reaction will be if they actually follow this 
"advice".

On reflection, perhaps there should be a prize for the latter, as 
accurately guessing that could be quite tricky.  Due to the error 
(repeated in step 4 -- the glories of cut'n'paste...) the user will 
receive a possibly quite long directory listing (after all, at least on 
Win2K and XP the default directory for the command prompt will be the 
current user's "homepath" directory which houses, by default, as one of 
its many sub-directories, IE's TIF) followed by the message, as the 
very last line of output:

   The system cannot find the path specified.

...

Does MS not employ technical writers?

What about tech reviewers?

What about the age-old publishing concept of having some vaguely 
clueful person _who had nothing to do with the generation or layout of 
the content_ look critical new web pages over before "publishing" them? 
OK, so this is "the web", but critical information still does not 
deserve an attitude of "it's just the web", does it?

The odd spelling mistake on the Office or IIS marketing pages we may 
accept, but getting something so badly wrong that anyone with two days 
experience of real system administration would spot in an eye-blink 
_AND_ with such potentially confusing results is pretty darn shoddy 
even by MS' own long history of shoddy security standards...

Could it be worse?  Well, the page has not been posted long enough for 
Google to have indexed it, yet...

I wonder when the first softie would have noticed this??

...

One final observation, ignoring that "&" has to be escaped in HTML 
markup (encoded as an HTML entity in this case), this is actually the 
very smallest of computer errors.  I said "What a difference a char 
makes..." in my Subject: line, but this is really just a single bit 
error, as "%" is 0x25 and "&" 0x26.

Would it be too unkind to conclude that MS doesn't care one bit about 
accuracy?


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]