Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: MS Security Response is a bunch of half-witted morons
From: "Charles J. Wertz" <wertzcj () buffnet net>
Date: Fri, 12 Mar 2004 14:12:56 -0500

MS is not alone. More and more web sites don't work without scripting and/or cookies. I guess cookies are a lesser evil. I'm constantly faced with the decision whether or not a particular content means enough to me that I'll turn on the script. In fact, I now run two browsers, Mozilla with scripting and Firebird without, because I found I'd sometimes forget to turn the scripting back off. I wonder if anything can be done. It would probably take an organized movement that could convince businesses they were going to lose a lot of sales. I don't know what would convince MS. A LOT of bad press might do it, but the again, it might not. Too many people probably don't even understand the risk.

At 07:57 PM 3/11/2004, Nick FitzGerald wrote:
Try to read Microsoft's latest security epistles:


with a browser that does not have JavaScript enabled...

(And yes, they have retrofitted this "improvement" to _all_ previous
security bulletins...)

Earth to MSRP:

1.  Your job is to improve security.

2.  Two years ago Billy Boy charged the whole of the company to
straighten up its act as regards security.

3.  MS Security Bulletins were "improved" about 24-30 months ago by a
web design team that clearly does not have an ounce of security smarts
among its entire membership.  That "improvement" (_purely_ aesthetic,
and highly debatable anyway) made the bulletins unreadable in IE unless
you are prepared to trust MS and its web presence providers (I'm not
for various reasons -- the company as whole is just far too large and
"attractive" a target; there have been some very bad whoops-es with
Akamai and the Nimda virus; etc).  Anyway, that "improvement" was the
final straw that moved me to using Mozilla as my browser of choice, as
it rendered that "improved" form of your pages fine, _and_ with
scripting and the like disabled.

4.  Now the Security Bulletins have been "improved" even further,
turning the detail expansion links into frelling javascript links.
What in the blue blazes is between the ears of your web development
folk?  Have they forgotten that the venerable HREF tag can work without
scripting, ActiveX and all manner of other popular but unnecessary cr*p
that web designers can't seem to ignore?  When it comes to security
bulletins, f*ck art -- give me _readable content_.


A few weeks back some online magazine editor was asking for clear,
reasoned arguments that "Microsoft just doesn't get security".
Arguments be damned -- if you have two security clues you only have to
look at MS' own security web pages to _see_ that "Microsoft just
doesn't get security".

TCI is clearly a media and PR circus.

(In case the magazine editor and his conspirator still do not get the
point of the above, Microsoft has no business dictating _my_ or _anyone
else's_ security policies.  This is as fundamental an aspect of
security as there is.  Posting its security bulletins in a format that
requires their readers to set their browsers to a configuration that is
acknowledged to be _severely security lowering_, while maintaining that
it is doing everything possible to improve the security of its
products, is the height of hypocrisy and clearly makes a lie of its
public proclamations that it is working to further improve security.)

Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]