Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Re: MS Security Response is a bunch of half-witted morons
From: Mike Barushok <mikehome () kcisp net>
Date: Fri, 12 Mar 2004 23:43:40 -0600 (CST)

On Fri, 12 Mar 2004, Troy wrote:

On Fri, 12 Mar 2004 16:09:21 -0500, jim_walsh () goodyear com wrote:

Your points are well taken and understandable.  But if you are supporting 
a M$ operating system enough to need to read the SB's, then wouldnt your 
IE be up to date to read them?  Even if you would just use IE to read M$'s 
site?  To sit and scream about web design decisions in this mailing group 
seems a little childish.  And if one was to argue that "Aanyone needs to 
read these articles not just people that support M$ OS's", well to 
that...most people that have a M$ OS as an end user have auto update 
turned on and dont even think twice about it...if they update at all.

I took Nick's comments differently. The way I understood it, the problem
is that Microsoft forces you to use a scripting language to read a
security article. A scripting language could have security problems. As
a result, many people have JavaScript disabled for security reasons,
regardless of their version of IE.

I agree with Nick. It is ironic and unfortunate that MS would force
users to turn on a potentially unsafe scripting language to read a
security bulletin.

I agree (mostly), and even worse is when one views the source,
navigates to the links, finds the meat of the article, where it
suggests a work around for some news flaw of 'disable scripting
in your browser'! (A Cisco advisory about a year and one-half
ago IIRC).

I only throw in the 'mostly' because while I agree with the
point of the OP, I do recognize that Microsoft does not 'force'
anyone to use scripting, they are only making it difficult for
the average Aunt Tilly to comprehend what security settings are
'best practice' and which are paranoid, and what functionality
the user should reasonably expect to lose by being more 'safe'.

There have been lots of third parties advising that uninstalling
WSH on Win98 was an excellent idea until around the time that
some script on WindowsUpdate called it directly so one had to
choose between re-installing WSH or never getting updates.
And apparently WSH was only being invoked for some time
elapsed display or something equally trivial, yet the
'checking for updates' would not complete without it.

Is there no way to suggest to Microsoft that the wording
when scripting is set to prompt that 'scripts are usually
safe' is misleading and unuseful? I mean some way that they
might sit up and take notice of?

At one time it seemed like at least government web sites were
trying their hardest to avoid requiring or suggesting cookies
or scripting, but lately they too have mostly gone over to the
dark side. 

I am told that if scripting is set to 'prompt for action' (or
whatever it calls it), in IE on Windows, that Outlook Express
suggests that thing about scripts usually being safe, .. twice,
(if you say no) when opened, yet no apparent difference in
functionality can be discerned. So either OE has just a nuisance
reminder that you have set scripting security to ask, or their is
some not fully observable reason that OE is running a script.

Does anyone know what script(s) OE is loading when it is opened?

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]