CODEgrunt blog

I suppose that I am paranoid by nature, at least with respects to web technologies. Javascript for example is obviously a powerful, feature friendly way of creating dynamic content but the idea of client side scripting that is not under the user's control has always made me a little nervous (the vast majority of browser exploits rely on it for example). So my default browsing environment is with ads blocked and Javascript disabled.

More and more these days I am seeing artifacts of new school web designers either confusing or forgetting that client side is not under their control and that not everyone (or every thing such as the plethora of bots out there) sees the world through rosy Javascript coloured glasses. Take the NHL's web designers for a Javascript-less ride and we get this:

What's in the red circle? Let us take a look:

//values were inserted here in example

It is hard to tell whether someone was taking "copy and paste" too literally or whether a 3rd party is injecting content they should not be but none the less, it makes for an amusing and informative Google search.

The obvious lesson is do not forget to test your code with Javascript disabled because at the very least Google will.

topics: javascript, opinion, programming

I shudder to think what a world without full disclosure would look like.

For those not familiar with the term, "full disclosure" is security jargon for the practice of fully divulging details about discovered vulnerabilities, often with proof of concept examples proving the existence of the bug. With full disclosure there will normally be no doubt about whether a given issue affects you - the fact you have all of the details allows you to test things out for yourself.

Now the reason why I consider this approach to dealing with security vulnerabilities so important can be summed up by pointing out some facts relating to a pair of recent Microsoft security bulletins:

• Microsoft Security Bulletin MS09-043 - Critical
• Microsoft Security Bulletin MS09-044 - Critical

Now both of these issues are considered critical and security bulletins were sent out on August 11, 2009. However, in the first case the vendor (Microsoft) was told of the vulnerability privately over two years previously (2007-03-19) and in the second over a year previously (2008-04-07). Microsoft does not believe in full disclosure (nor does the commercial security researcher in this case) which means that for over two years the only people who knew about the first issue outside of the vendor and researcher were blackhats and other n'er do wells. Without full disclosure this is what happens as there is no pressure on the vendor to deal with critical issues in a timely manner. The vendor often considers the chance of bad publicity to outweigh the dangers posed to their customers.

Now let's compare that with the recent WordPress admin password reset vulnerability posted on August 10, 2009 using full disclosure (all the details, example exploit). A mere day later, the WordPress was patched to correct the issue. Not two years, not one year, not even a month - a single day!

In my opinion full disclosure is the most efficient way of minimizing the window of exposure between a vulnerability being discovered and a solution being in place.

Wikipedia has a decent article on full disclosure including links to contrary arguments for those wishing to do further reading on the topic.

topics: opinion, security