[Full-Disclosure] another product affected by recent MS IE '@' patch
nick at virus-l.demon.co.uk
Sun Feb 8 20:08:14 GMT 2004
martin f krafft <madduck at madduck.net> wrote:
> In Germany, and maybe in other parts of the world, some providers
> are attracting customers by announcing webpage packages where email
> address == web address. so, john at doe.de is the email, and
> john at doe.de is the website, while jane at doe.de may be the website of
> john's wife.
Well silly them.
What kind of technical support can you expect from a "technology
company" that deliberately flouts the standards of the technology it
employs and provides a service based on known incorect and non-
standards conforming behaviour in a generally available software
product it has no control over?
> I hope this has not been reported yet, but in the light of the
> recently announced MS IE patch to guard against the URL obfuscation
> attacks (which is a typical MS fix ...
Actually, it is _far_ from a _typical_ MS fix.
First, it actually shows serious levels of clue on the part of whoever
made and backed the decision to make this fix. The clue it shows --
which is obviously lacking in those who have criticized it -- is that
security and standards-conformance issues really do matter. That must
just about be a first for MS!
Second, it is very unlike MS to "fix" something when they know it will
break some systems based on the "broken" behaviour. Many will be
tempted to disagree vehemently with this, but historically it has been
the case that when MS has designed something badly (and usually
outright stupidly when analysed by anyone with a modicum of clue) and
some grievous problem is shown to be the fault of the general design of
some feature, MS has generally refused to fix it either "properly" (by
removing the horribly bad feature) or even at all and generally does so
on the grounds that "some customers have systems dependent on this
behaviour". Of late that attitude has been showing signs of change,
particularly if the issue is security related. True, MS also has a
reputation for producing badly designed and tested fixes that
unintentionally break existing systems, but that is a different
Third, although it does not play on this line at all in its
justification of the change, it is very unlike MS to "fix" something by
removing non-standards conforming behaviour, particularly if that
behaviour has been used as a product differentiator.
> ... and absolutely ridiculous), ...
Ahhhh -- so you're another genius who believes it is "ridiculous" to
implement standards-conforming behavior? Or are you another genius who
believes it is ridiculous for MS to implement improved security
behaviour in its historically insecure web browser?
Or perhaps you believe _both_ changes are ridiculous?
> ... these
> providers may now renew their product portfolio. Not like M$
Let's see -- they had a package that depended on the palpably incorrect
behaviour of certain web browsers. The most widely used of the faulty
web browsers has now been fixed so their "service" has become a dis-
service and this is somehow the fault of the software developer for
properly fixing their browser?
I don't know what you've been smoking/drinking/whatever, but get off it
and go read the relevant RFCs -- 1945 & 2616. Do _NOT_ be misled by
RFC 2396 -- it is relevant, but largely for the parts of a URI's
general form that are specifically negated in the other RFCs.
Full-Disclosure is hosted and sponsored by Secunia.