Re: another product affected by recent MS IE '@' patch

[Nick FitzGerald <nick () virus-l demon co uk>]

martin f krafft <madduck () madduck net> wrote:

> In Germany, and maybe in other parts of the world, some providers
> are attracting customers by announcing webpage packages where email
> address == web address. so, john () doe de is the email, and
> john () doe de is the website, while jane () doe de may be the website of
> john's wife.

Well silly them.

What kind of technical support can you expect from a "technology 
company" that deliberately flouts the standards of the technology it 
employs and provides a service based on known incorect and non-
standards conforming behaviour in a generally available software 
product it has no control over?

> I hope this has not been reported yet, but in the light of the
> recently announced MS IE patch to guard against the URL obfuscation
> attacks (which is a typical MS fix ...

Actually, it is _far_ from a _typical_ MS fix.

First, it actually shows serious levels of clue on the part of whoever 
made and backed the decision to make this fix.  The clue it shows -- 
which is obviously lacking in those who have criticized it -- is that 
security and standards-conformance issues really do matter.  That must 
just about be a first for MS!

Second, it is very unlike MS to "fix" something when they know it will 
break some systems based on the "broken" behaviour.  Many will be 
tempted to disagree vehemently with this, but historically it has been 
the case that when MS has designed something badly (and usually 
outright stupidly when analysed by anyone with a modicum of clue) and 
some grievous problem is shown to be the fault of the general design of 
some feature, MS has generally refused to fix it either "properly" (by 
removing the horribly bad feature) or even at all and generally does so 
on the grounds that "some customers have systems dependent on this 
behaviour".  Of late that attitude has been showing signs of change, 
particularly if the issue is security related.  True, MS also has a 
reputation for producing badly designed and tested fixes that 
unintentionally break existing systems, but that is a different 
matter...

Third, although it does not play on this line at all in its 
justification of the change, it is very unlike MS to "fix" something by 
removing non-standards conforming behaviour, particularly if that 
behaviour has been used as a product differentiator.

> ... and absolutely ridiculous), ...

Ahhhh -- so you're another genius who believes it is "ridiculous" to 
implement standards-conforming behavior?  Or are you another genius who 
believes it is ridiculous for MS to implement improved security 
behaviour in its historically insecure web browser?

Or perhaps you believe _both_ changes are ridiculous?

> ... these
> providers may now renew their product portfolio. Not like M$
> cares...

Let's see -- they had a package that depended on the palpably incorrect 
behaviour of certain web browsers.  The most widely used of the faulty 
web browsers has now been fixed so their "service" has become a dis-
service and this is somehow the fault of the software developer for 
properly fixing their browser?

I don't know what you've been smoking/drinking/whatever, but get off it 
and go read the relevant RFCs -- 1945 & 2616.  Do _NOT_ be misled by 
RFC 2396 -- it is relevant, but largely for the parts of a URI's 
general form that are specifically negated in the other RFCs.


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html