I write this in the wake of March's "Patch Tuesday" -- the second Tuesday of each calendar month that has become...
a day many Windows system and security managers rue.
However, March was relatively quiet, as these things go. Aside from the usual Patch Tuesday activities, I noticed that Microsoft had also revamped the design of its security bulletins, as published in the security section of its TechNet Web site.
So, why is a Web page redesign worth an opinion piece?
Well, we're talking about Microsoft's premier resource for technical, security update information. Further, Microsoft has now spent a little more than two years campaigning hard to convince its customers that it has now "seen the light" and that security is now its No. 1 priority.
It's more than slightly ironic, then, that the TechNet Web site redesign rendered the most important technical information from the security bulletins unreadable to users with the most securely configured Web browsers. The "problem" was that the new design used some formats from the associated stylesheet to control the visibility of those sections, and, in turn, the application or removal of those styles was controlled by links activating client-side scripts that partially rewrote the page.
When one recalls that client-side scripting has been all but indispensable in exploiting most Web browser vulnerabilities -- even when the problem hasn't been in the scripting engine -- the irony deepens further. Add that Microsoft's own browser seems to have been especially heavily endowed with such vulnerabilities and it would be laughable, were Microsoft not so haughtily astride its "security above all else" promotional kick. I could continue about Microsoft's attractiveness as a target for hackers, the lack of use of TLS on these pages, the frailty of the trust we can hold in VeriSign-issued certificates if such was used, and so on, but the point should be clear, at least to those who understand risk analysis.
My posting on this topic to three widely read computer security mailing lists resulted in a few complaints that I had been unduly harsh about the Microsoft Security Response Center folks, who really were just providing content. I apologize for using MSRC as the focal point for my barrage when really the fault lies squarely with Microsoft as a whole.
Why is it sad that Microsoft chose this solution? Well, it's hard to say from the outside looking in, but it seems unlikely the current solution raised any security or responsibility issues with the Web designers. It and the MSRC content producers just had to tweak what they were doing to quiet a squeaky wheel.
NICK FITZGERALD worked as a support consultant in the IT department at the University of Canterbury for close to 10 years, before moving to the UK to take up the editorship of Virus Bulletin in 1997. For the last several years he has worked as an independent antivirus consultant and as a contract antivirus researcher in New Zealand.
Dig Deeper on Secure software development