OPINION: Will Microsoft ever get its act together?

Checking out Microsoft advisories reveals Microsoft revamped its security bulletins, as published in the security section of its TechNet Web site, causing security concerns.

I write this in the wake of March's "Patch Tuesday" -- the second Tuesday of each calendar month that has become a day many Windows system and security managers rue.

However, March was relatively quiet, as these things go. Aside from the usual Patch Tuesday activities, I noticed that Microsoft had also revamped the design of its security bulletins, as published in the security section of its TechNet Web site.

So, why is a Web page redesign worth an opinion piece?

Well, we're talking about Microsoft's premier resource for technical, security update information. Further, Microsoft has now spent a little more than two years campaigning hard to convince its customers that it has now "seen the light" and that security is now its No. 1 priority.

It's more than slightly ironic, then, that the TechNet Web site redesign rendered the most important technical information from the security bulletins unreadable to users with the most securely configured Web browsers. The "problem" was that the new design used some formats from the associated stylesheet to control the visibility of those sections, and, in turn, the application or removal of those styles was controlled by links activating client-side scripts that partially rewrote the page.

When one recalls that client-side scripting has been all but indispensable in exploiting most Web browser vulnerabilities -- even when the problem hasn't been in the scripting engine -- the irony deepens further. Add that Microsoft's own browser seems to have been especially heavily endowed with such vulnerabilities and it would be laughable, were Microsoft not so haughtily astride its "security above all else" promotional kick. I could continue about Microsoft's attractiveness as a target for hackers, the lack of use of TLS on these pages, the frailty of the trust we can hold in VeriSign-issued certificates if such was used, and so on, but the point should be clear, at least to those who understand risk analysis.

My posting on this topic to three widely read computer security mailing lists resulted in a few complaints that I had been unduly harsh about the Microsoft Security Response Center folks, who really were just providing content. I apologize for using MSRC as the focal point for my barrage when really the fault lies squarely with Microsoft as a whole.

Sadly, MSRC has "addressed" the problem. Did it get the Web designers to create a new design without the scripting issues? No -- it reformatted the content so it doesn't contain the evil JavaScript links unless scripting is enabled. Thus, when viewing the page in a securely configured browser, the full content is in view and there's no need to click links to get the technical details sections and such to "unhide" and become readable. However, when you load the pages with scripting enabled, the new scripting causes additional tags to be written around the "hidden" sections, producing the same initial effect as the originally served pages regardless of the state of scripting in your browser.

Why is it sad that Microsoft chose this solution? Well, it's hard to say from the outside looking in, but it seems unlikely the current solution raised any security or responsibility issues with the Web designers. It and the MSRC content producers just had to tweak what they were doing to quiet a squeaky wheel.

NICK FITZGERALD worked as a support consultant in the IT department at the University of Canterbury for close to 10 years, before moving to the UK to take up the editorship of Virus Bulletin in 1997. For the last several years he has worked as an independent antivirus consultant and as a contract antivirus researcher in New Zealand.

Dig deeper on Software Development Methodology

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close