[30916] in bugtraq
Re: TEXT/PLAIN: ALERT("OUTLOOK EXPRESS")
daemon@ATHENA.MIT.EDU (Kee Hinckley)
Sat Jul 26 13:05:44 2003
Mime-Version: 1.0
Message-Id: <p06001714bb479d01c422@[192.168.1.104]>
In-Reply-To: <3F21788B.9070204@syneticon.de>
Date: Fri, 25 Jul 2003 22:59:37 -0400
To: Denis Jedig <seclists@syneticon.de>
From: Kee Hinckley <nazgul@somewhere.com>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
At 8:35 PM +0200 7/25/03, Denis Jedig wrote:
>Internet Explorer seems to take no offense on Content-Types either -
>text/plain from a web server is happily rendered as HTML, if it
>contains valid tags.
It has long been a standard assertion that programs should produce
standard-complaint protocols, but be lenient in accepting data
contrary to the standard. Microsoft has taken this one step further.
In addition to attempting (not unreasonably) to try and guess what
the user is trying to do, they've written code that tries to guess
what a remote client or server is trying to do. I think a history of
Microsoft security holes clearly shows that this is *not* an
appropriate programming practice. The acceptance of incorrect data
makes security scanning by intermediate parties extremely difficult.
Attempting to "correct" for incorrect remote behavior benefits
nobody. It encourages programs and people to generate incorrect
code, and it opens up security holes when by the standard there ought
to be none. We've seen this time after time in things like HTML code
embedded in JPEG comments, decimal IP addresses using intentional
overflows, and a plethora of other cases. Policies that make sense
in dealing with end user actions can be deadly when used with remote
standards and protocols.
(Of course this policy also has the side effect of making it
extremely difficult for smaller players to compete with the dominant
one, since they have to be bug-for-bug compatible.)
--
Kee Hinckley
http://www.messagefire.com/ Anti-Spam Service for your POP Account
http://commons.somewhere.com/buzz/ Writings on Technology and Society
I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
