Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: What a difference a char makes...
From: "joe" <mvp () joeware net>
Date: Wed, 7 Jul 2004 15:45:47 -0400

Thanks Nick, you should find this corrected now.

  joe 



-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Nick FitzGerald
Sent: Saturday, July 03, 2004 1:00 AM
To: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM; BUGTRAQ () SECURITYFOCUS COM;
FULL-DISCLOSURE () lists netsys com
Subject: [Full-disclosure] What a difference a char makes...

MS does it again...

I'm not sure whether to laugh or cry.

   http://www.microsoft.com/security/incident/Download_Ject.mspx

   ...

   Actions for Home Users

   ...

   2. Check for Infection

   ...

      3.  At the command prompt, type:
          dir /a /s /b &systemdrive%\kk32.dll
          and then press the ENTER key to search your
          computer.
          If the file is present, the file path is displayed. If
          the file is not present, a message is displayed
          that the system cannot find the path.

There's no prize for spotting the typo, nor for guessing what your typical
home user's reaction will be if they actually follow this "advice".

On reflection, perhaps there should be a prize for the latter, as accurately
guessing that could be quite tricky.  Due to the error (repeated in step 4
-- the glories of cut'n'paste...) the user will receive a possibly quite
long directory listing (after all, at least on Win2K and XP the default
directory for the command prompt will be the current user's "homepath"
directory which houses, by default, as one of its many sub-directories, IE's
TIF) followed by the message, as the very last line of output:

   The system cannot find the path specified.

...

Does MS not employ technical writers?

What about tech reviewers?

What about the age-old publishing concept of having some vaguely clueful
person _who had nothing to do with the generation or layout of the content_
look critical new web pages over before "publishing" them? 
OK, so this is "the web", but critical information still does not deserve an
attitude of "it's just the web", does it?

The odd spelling mistake on the Office or IIS marketing pages we may accept,
but getting something so badly wrong that anyone with two days experience of
real system administration would spot in an eye-blink _AND_ with such
potentially confusing results is pretty darn shoddy even by MS' own long
history of shoddy security standards...

Could it be worse?  Well, the page has not been posted long enough for
Google to have indexed it, yet...

I wonder when the first softie would have noticed this??

...

One final observation, ignoring that "&" has to be escaped in HTML markup
(encoded as an HTML entity in this case), this is actually the very smallest
of computer errors.  I said "What a difference a char makes..." in my
Subject: line, but this is really just a single bit error, as "%" is 0x25
and "&" 0x26.

Would it be too unkind to conclude that MS doesn't care one bit about
accuracy?


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]