Re: iDEFENSE Security Advisory 01.14.05: Exim dns_buld_reverse() Buffer Overflow Vulnerability

[Nick FitzGerald <nick () virus-l demon co uk>]

Marc Haber wrote:

> > iDEFENSE Security Advisory 01.14.05
> > www.idefense.com/application/poi/display?id=183&type=vulnerabilities
>
> That web page is only viewable with JavaScript enabled, and is thus
> unviewable with a browser configured to minimize the surfing risk. For
> a security-related organization, I consider this poor design.

I've tried that line against them several times in the past.  It seems 
they just don't care, so I take that to mean iDEFENSE is _NOT_ "a 
security-related organization".

Perhaps the purpose of the script gives us a clue as to the true nature 
of iDEFENSE's business?

There are two scripts in that page (in fact, last I checked, these 
scripts govern access to most pages on the iDEFENSE site).  The first 
is an external script called thus:

   [script type="text/javascript" src="/js/flashdetect.js"][/script]

http://www.idefense.com/js/flashdetect.js sets a bunch of variables to 
"false", including "isFlash5" and "isFlashMX" then proceeds to 
determine either of the above should be set to "true".

The second script is page-specific because it includes content-specific 
URL redirections using JavaScript's "location" function (reformatted to 
a more Email-friendly indentation):

   [script language="JavaScript" type="text/javascript"]
     //[!--
       if (isFlashMX) {

         location = '/application/poi/display?id=183&type=vulnerabilities&flashstatus=true';

       }
       else {

         location = '/application/poi/display?id=183&type=vulnerabilities&flashstatus=false';

       }                
     //--]

   [/script]

So, we can "fix" this dependence on scripting by using your preferred 
choice of these URLs:

   http://www.idefense.com/application/poi/display?id=183&type=vulnerabilities&flashstatus=false

   http://www.idefense.com/application/poi/display?id=183&type=vulnerabilities&flashstatus=true

Clearly the purpose of these scripts is to direct us to a "Flash-
enabled" version of the page if our browsers are considered to be 
"Flash enough" to handle the required Flash version.  So what do the 
fancy, Flash versions of these pages offer that the non-Flash versions 
don't?

An egregiously animated background graphic for the "Power of 
Intelligence" banner and a typically anti-browser-navigation methods 
"Flash" menu.

Some agency or "celebrity designer" was probably badly overpaid for 
this excess of design indulgence over content accessibility, so it 
seems that marketing is a greater objective here than than information 
provision and access...

Microsoft retroactively (i.e. in response to complaints) fixed its 
security bulletins last time they were re-designed by a gnat who could 
not only not comprehend that some folk willingly browse the web with 
scripting and ActiveX disabled, but was obviously given a design 
briefing, written by someone at the supposedly now entirely security-
focussed Redmond giant, that did not specify suitable usability 
guidelines for the pages in question for varying levels of browser 
security setting.

Sophos fixed its recently re-designed into scripting hell virus 
description web pages following user complaints.

Shall we see if iDEFENSE can actually use "the power of intelligence" 
it claims to be able to provide its customers and produce security 
advisory pages that are actually functionally useful to its most 
security-conscious web visitors, rather than (perhaps) being the most 
visually appealing eye-candy for the security-ignorant it hopes to 
entice into being its new customers?


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html