Full Disclosure mailing list archives
Re: another product affected by recent MS IE '@' patch
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Mon, 09 Feb 2004 09:08:14 +1300
martin f krafft <madduck () madduck net> wrote:
In Germany, and maybe in other parts of the world, some providers are attracting customers by announcing webpage packages where email address == web address. so, john () doe de is the email, and john () doe de is the website, while jane () doe de may be the website of john's wife.
Well silly them. What kind of technical support can you expect from a "technology company" that deliberately flouts the standards of the technology it employs and provides a service based on known incorect and non- standards conforming behaviour in a generally available software product it has no control over?
I hope this has not been reported yet, but in the light of the recently announced MS IE patch to guard against the URL obfuscation attacks (which is a typical MS fix ...
Actually, it is _far_ from a _typical_ MS fix. First, it actually shows serious levels of clue on the part of whoever made and backed the decision to make this fix. The clue it shows -- which is obviously lacking in those who have criticized it -- is that security and standards-conformance issues really do matter. That must just about be a first for MS! Second, it is very unlike MS to "fix" something when they know it will break some systems based on the "broken" behaviour. Many will be tempted to disagree vehemently with this, but historically it has been the case that when MS has designed something badly (and usually outright stupidly when analysed by anyone with a modicum of clue) and some grievous problem is shown to be the fault of the general design of some feature, MS has generally refused to fix it either "properly" (by removing the horribly bad feature) or even at all and generally does so on the grounds that "some customers have systems dependent on this behaviour". Of late that attitude has been showing signs of change, particularly if the issue is security related. True, MS also has a reputation for producing badly designed and tested fixes that unintentionally break existing systems, but that is a different matter... Third, although it does not play on this line at all in its justification of the change, it is very unlike MS to "fix" something by removing non-standards conforming behaviour, particularly if that behaviour has been used as a product differentiator.
... and absolutely ridiculous), ...
Ahhhh -- so you're another genius who believes it is "ridiculous" to implement standards-conforming behavior? Or are you another genius who believes it is ridiculous for MS to implement improved security behaviour in its historically insecure web browser? Or perhaps you believe _both_ changes are ridiculous?
... these providers may now renew their product portfolio. Not like M$ cares...
Let's see -- they had a package that depended on the palpably incorrect behaviour of certain web browsers. The most widely used of the faulty web browsers has now been fixed so their "service" has become a dis- service and this is somehow the fault of the software developer for properly fixing their browser? I don't know what you've been smoking/drinking/whatever, but get off it and go read the relevant RFCs -- 1945 & 2616. Do _NOT_ be misled by RFC 2396 -- it is relevant, but largely for the parts of a URI's general form that are specifically negated in the other RFCs. Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- another product affected by recent MS IE '@' patch martin f krafft (Feb 08)
- Re: another product affected by recent MS IE '@' patch Nick FitzGerald (Feb 08)
- Re: another product affected by recent MS IE '@' patch mescsa (Feb 08)
- Re: another product affected by recent MS IE '@' patch Nick FitzGerald (Feb 08)
- Re: another product affected by recent MS IE '@' patch Guido van Rooij (Feb 09)
- Re: another product affected by recent MS IE '@' patch Guido van Rooij (Feb 09)
- Re: another product affected by recent MS IE '@' patch mescsa (Feb 09)
- Exclusive: Windows 2000 & Windows NT 4 Source Code Leaks jB (Feb 12)
- Re: another product affected by recent MS IE '@' patch mescsa (Feb 08)
- Re: another product affected by recent MS IE '@' patch Nick FitzGerald (Feb 08)
- <Possible follow-ups>
- RE: another product affected by recent MS IE '@' patch David Farinic (Feb 09)
- RE: another product affected by recent MS IE '@' patch Darren Bennett (Feb 09)
- RE: another product affected by recent MS IE '@' patch Brad Griffin (Feb 09)