When web sites rely on security holes


Perhaps the biggest risk when making a change in the name of security is all the things that may have been relying on the previously-lax security settings. After all, disabling an insecure feature is easy. The hard part is disabling it while retaining compatibility with people who were relying on that feature. In the security investigations I've been involved with, perhaps the largest chunk of my time is spent trying to find a way to mitigate the security hole without breaking existing customers. (And it's the Line of Business scenario that is the biggest question mark.)

Here's a real-life example: Consider a sports web site which sells a service to subscribers wherein the site creates a pop-up window whenever a game's score has changed or some other significant event has occurred. That way, you can leave your browser minimized and go about your day, but when something happens in the game, it will pop up an alert.

The round of security changes in Windows XP SP2 broke this site because the rules on positioning of pop-up windows were tightened so that pop-up windows could not appear outside the browser itself. This prevents pop-up windows from being used to cover important browser elements (such as the status bar, the address bar, or a security dialog) and makes it harder for pop-ups to masquerade as system dialogs. But it also broke this company's business model.

And of course, if Microsoft does something that cause you to lose money, you sue.

There were probably corporations that had internal web sites that relied on the ability to position pop-ups without restriction. Those corporations no doubt also complained about this change in the name of security.

As with most security changes that have compatibility consequences, a "safety valve" was added to return to the old insecure behavior for those customers who were relying on it. In this case, you can put the affected sites in the Trusted Sites zone and enable the "Allow script-initiated windows without size or position constraints" setting. But this is just a stop-gap, re-opening the security hole to let this site continue to operate the way it does. The real fix is not to rely on the security hole.

Comments (44)
  1. matt says:

    "The real fix is not to rely on the security hole."

    That’s hilarious. As if they knew that this was a security hole to begin with and went ahead and relied on it anyway. There is a big difference between using what is a standard Microsoft supported feature and blatantly disregarding security.

  2. Daniel says:

    That security hole wasn’t considered a security hole until people started abusing it.

    Before that, it was considered a program feature allowed and enabled by IE so what is the point in the aftermath to say that it was a security hole to begin with? and how where the sites supposed to know that it’s a bug and not a feature?

    It’s easy to say in retrospect that it’s a security hole, because it is now, back then, before people abused it, it wasn’t a security hole it was just something you could do, therefore those sites took advantage of it legitimately and I don’t think it’s fair calling it otherwise. (although I completly agree with the patch).

  3. oldnewthing says:

    Okay then "When web sites rely on what turns out to be a security hole". My point still stands.

  4. John Goewert says:

    I’ve alway thought that programatically allowing pop-ups as a whole were a bad idea.

    The main idea of the problem is that it allows someone to run something on a users computer that did not require user participation or control.

    Who can forget those lovely ads that when you close them open two other ads and if you don’t close those in 1 second use the timer to pop open 4 more ads which then spawn 16 more ads and keep going until you have 2 to the power of 42 popup windows chugging smut into your face.

    Still, there is that fine line of functionality vs. security that needs to be there. Cool features may someday be security holes and developers, their managers, and the customers need to understand that and accept change.

  5. Scott says:

    ObShortRant: Ha. I love it when people coding for a particular browser get their asses handed to ’em.

    However, I guess they were using popups to cover bad things they were doing to the OS?

    How can the ability to position a window be a security problem?

    I guess I won’t be using XP SP2 then, as I use that feature personally.

  6. schuimpie says:

    If I were a content developer, like this sports site, and this pop-up thing is an important feature I’d make sure to test whenever something changes in the underlying software, IE in this case. What’s the big deal !!

  7. Cheong says:

    Actually, I’ll prefer to advise the game score in an iframe that refreshes itself. Flash with Actionscript that pulls XML streams will also do. Why does those companies insist on preserving these "security holes"?

    I do think popup blockers are common thing on any major OSs. And they’re likely to "hit the rock" one day or another anyway.

  8. Cheong says:

    Scott:

    Positing a popup window may not be a problem by itself, but certainly a problem if it places the window outside your screen boundary.

    And I think it’s annoying to have Ad. windows cover up all the screen.

  9. RobL says:

    ‘Okay then "When web sites rely on what turns out to be a security hole". My point still stands.’

    No it doesn’t. What a pompous load of rubbish!

    Developers and businesses out there in the REAL world (read: world where you are using and relying on environments supplied by other vendors, rather than writing those environments) will take a product, read up on what it can do, read up on any ‘best practices’, and within those confines will attempt to do the very best they can. They will attempt to provide the most useful features they can.

    The fact that the vendor (or the whole rest of the world) realises that feature ‘x’ is not safe in the future and locks it down is hardly their fault is it??

    Whether it is a pop-up outside of the browser window area, writing a script to access a user’s address book or any other software feature that eventually got withdrawn, you can’t say "The real fix is not to rely on X".

    Programmer – I am. Clairvoyant? I am not. What an asinine point you make.

  10. Derek says:

    schuimpie, you can test all you want, but if the functionality is removed, all your testing is going to do is tell you the same thing the users would tell you: It’s broke. And if the functionality is removed, it simply cannot be fixed.

    Personally, I think it’s perfectly reasonable to allow specific sites to open windows. The user should be able to allow trusted sites to do things like that, just as the user should be able to allow VBScript from trusted sites, or run a dangerous java applet, or whatever else. The entire concept of rich web applications requires some user trust.

    Allowing specific sites permission to do dangerous (or in this case, mostly just annoying) things is not a security risk, at least not any more than allowing users to install applications is.

  11. oldnewthing says:

    RobL: I didn’t say it was their fault. They got caught in the middle and ended up relying on what has since been recognized as a security hole. The question at this point is what do you (the web browser) do? Do you reinstate the security hole so these people can keep operating? Do you tell these people, "Sorry, you lose" (and risk the upcoming lawsuit)?

  12. Ring Zero says:

    Okay then "When web sites rely on what turns out to be a security hole". My point still stands.

    Well, that would certainly have to include websites that relied on IIS 1.0, 2.0, 3.0, 4.0, 5.0, or 6.0, and those that relied on ASP, or ASP.NET, or FrontPage Extensions, etc. and any websites that, on the client side, relied on Internet Explorer 4.0, 5.0, 5.5, or 6.0, running on any version of Windows.

  13. J says:

    RobL: Umm, you need to read the entire paragraph and understand the context, not just read the last sentence and overreact.

    "… But this is just a stop-gap, re-opening the security hole to let this site continue to operate the way it does. The real fix is not to rely on the security hole."

    The context of the statement is that if you want to fix your NOW-BROKEN programs, you have to stop relying on the security hole. You shouldn’t simply re-open the security hole for the user as your fix. Clairvoyance is not necessary.

  14. Nekto2 says:

    But hey – you see that the only thing needed is to implement ability to notify user when IE window is minimized or under others.

    When you implement security protection agains self-raisong window you just replace it with flashing of taskbar and tray icon notifications. Again here you have disaled a way to notify users, so should replace it with another way of achiving same action without security issues. So why not allow to make notifications from JS?

  15. Nekto2 says:

    One more ;)

    Have you ever heard of a lawsuit on security hole usage? Such as "I was able to change files on remote computer, but now can’t!" or "my site was setting itself as startup page without user confirmation, but now can’t" :)

  16. oldnewthing says:

    I don’t know of any actual lawsuits, but there have definitely been threats of lawsuits. Jeff Davis (IE popup blocker dev) can probably name a half dozen companies of the top of his head who threatened some sort of retaliatory action when their popups were blocked.

  17. Dan McKinley says:

    The intranet of our parent company is nothing BUT an intricate system of interconnected popup windows. So yeah, they were probably pretty pissed.

  18. Dan McCarty says:

    Wow, the zing of the day definitely goes to Ring Zero.

  19. Starfish says:

    Ring Zero: in the interests of fairness you should mention Apache and your favourite linux browser running as root :)

  20. Good Point says:

    RobL: ‘No it doesn’t. What a pompous load of rubbish!’

    I take it that this is your first interaction with an employee of Microsoft.

  21. says:

    — Raymond —

    "I don’t know of any actual lawsuits, but there have definitely been threats of lawsuits. Jeff Davis (IE popup blocker dev) can probably name a half dozen companies of the top of his head who threatened some sort of retaliatory action when their popups were blocked."

    That’s almost surreal. The important question, though, is how many of those enraged companies were Viagra shills or ad-based-revenue organizations. =)

  22. James Risto says:

    As with previous topics on this blog, I suspect there is no good answer, only best of the worst. And lets think past this one specific example. Sure, there are legit users of feature x. And some may not have the resources to change too swiftly. But, SP2 was in beta, and like it or not, you should test your stuff on betas. Total cost of your business, kinda thing.

  23. oldnewthing says:

    j²: They were legitimate companies. e-commerce sites mostly, some financial institutions.

  24. Jay B says:

    It’s not the fault of the developer, in my opinion. Microsoft designed IE to support "rich clients" and strongly pushed towards having people build these rich clients. Unfortunately that support left gaps in security over the web, and people have abused them.

    I know first-hand, security was a big part of our mindset when we designed our rich client. We got bit pretty hard when XP SP2 tightened things up a bit. Suddenly our modal popups looked different, some of our DOM-massaging code wasn’t functioning due to permissions, etc…

    Some of the time you can say "you’re only running into a problem now because you were trying to work around the limitations of the web/web browser", but with such a strong push for these "rich clients", it’s hard to not get forced into doing just that.

    Raymond, I don’t see what the problem is with adding a site to the Trusted Site list. That’s the whole point of that mechanism, to let certain web sources break the standard security constraints. It’s up to the user to say, "Yes, I’m willing to let site ABC do things that would normally be restricted".

  25. Jerry Pisk says:

    Is it just me or is using a minimized browser to run a background notification application a really bad idea?

  26. MSFT says:

    If something being the result of someone basing their product on a bad idea were the only requirement for dismissing a bug request we [MSFT] would have a LOT more free time to work on the next version and feature requests…

  27. PatriotB says:

    "Is it just me or is using a minimized browser to run a background notification application a really bad idea?"

    It is. Talk about "use the right tool for the job." If you want to display popup notifications, create a Windows app that runs in the background, then you can show all the popups you want. If they were using a WindowsIE-only feature, they shouldn’t have to worry about developing a Windows-only app.

  28. Matt says:

    Adding websites to the trusted zone so that they can display popups is bad – it allows the website access to many more capabilities over displaying popups.

    Promoting the download of Windows programs to users is bad – it promotes and reinforces behaviour that is extraordinarily risk in terms of malware.

    I’ve no pity for the "rich client" web developer either. I’ve seen as many abuses of popups in "rich client" web applications as I’ve seen legitimate uses. It’s that stupid abuse of a feature that led to the proliferation of popup blockers (because of user demand) both in SP2 and in other applications beforehand.

    The message for developers should be to use intrusive features responsibly. If you don’t they’ll be removed by users or MS and it’s no good getting indignant about it afterwards.

  29. Martin says:

    I can think of one MS web application that uses popup notifications with a minimized browser: Outlook Web Access. Want to know something even better? The popups bleed through and show on a locked desktop. So, all I need to do is sit and watch your locked PC to read your email. No permissions required at all.

  30. Moz says:

    If you want to display popup notifications,

    > create a Windows app

    The user visits a website, gets told to download and install an application, and you think that’s an approach with fewer security problems? Not to mention the bit where they also need to buy a new computer and install windows on it (those dang smartphone users!). In a world where even MS-Windows now commonly runs on a variety of platforms, "writing a Windows app" is not as simple as you might hope, and that ignores that traitorous minority running Macs or Unix.

  31. Matt says:

    Martin,

    You’re confusing the OWA popup with the Outlook one. The OWA popup contains no detail of the email at all. If it does bleed through the locked workstation screen, you’d only be able to deduce the user just received mail. You’d not see any detail of the mail like recipient, subject or mail body

  32. Norman Diamond says:

    The round of security changes in Windows XP

    > SP2 broke this site because the rules on

    > positioning of pop-up windows were tightened

    > so that pop-up windows could not appear

    > outside the browser itself. This prevents

    > pop-up windows from being used to cover

    > important browser elements

    I was wondering about that. I recalled reading statements saying that these security changes would be made, but the actual effects didn’t change very much. Maybe the rules were changed but the code was only tested in one language version of Windows?

    In IE pop-up windows pop up as unwanted and unpermitted additional windows, though I didn’t notice if any are designed to cover important browser elements. In Outlook Express some HTML messages DO cover important OE elements such as scroll bars, and cause other unexpected behaviours.

    Back to IE again, operations in some windows get to cause changes to frames in other windows even if the user invoked two separate IE processes to visit two separate sites. This isn’t exactly a popup but it’s still one window controlling another window in a way that isn’t exactly secure.

    I wonder if some web sites use programmatic operations to add themselves to trusted zones and set capabilities to run undesired operations. I didn’t see unexpected additions to trusted zones, but this still looks worrisome.

  33. Rover says:

    Why are you blaming other companies? The security "feature" shouldn’t have been there in the first place. Why was it added to IE?

  34. Finnish guy says:

    In my opinion, the entire concept of pop-up windows was pretty dumb from the get-go. The Internet is a "hostile environment" and it’s not a particularly good idea to have features in a browser that lend themselves to abuse so easily. Also, pop-ups break the fundamentals of web page navigation (browser history etc.)

    Of course, the whole pop-up craziness was invented by Netscape, if I’m not mistaken. In other words, the blame lies entirely with them – and on all those dumbtards (including web page authors) who didn’t yell out "man, is this a bad idea or what" the first time they saw a pop-up window.

  35. Nekto2 says:

    Concept of pop-ups is not dumb. It was just a multipurpose tool. You could open new normal window or new full screen window. No one knows which use of it will be usefull. And that was a time when developers were trusted.

    Just remember showing photos in small pop-ups in photo galleries. It is just easy to do instead of DHTML/XMLHTTPREQ.

    http://e43.sag.karlstad.se/tsn/giu/kurs/styles/HTML/exempel/shakeit.html

    ;)

    There is also Alert abuse.

    while(1) {alert("Press Me);}

    with modile style alerts.

  36. Some guy says:

    The initial reaction to the idea of pop-ups (and to modal JS windows, JS access to bookmarks/printing and so on) should have been as follows:

    "Uhhh, what if a web page author decides to fill my screen with these crazy windows, won’t let me quit the browser and manipulates my bookmarks? Aren’t there serious risks involved with this functionality?"

    Instead, the response from the general public – and from web developers – seems to have been "What an insanely awesome idea!"

    Though calling people stupid is one of the worst arguments one can make in any debate, it still escapes me how such lack of foresight could be characterized as anything but plain stupidity. However, MS is not to blame here; they just provided the functionality that Netscape had already introduced and people were demanding.

    My favorite example of a lack of foresight can be found in my old hometown, where urban planners designed a low-income neighborhood in the 1960s. A long straightaway road goes through the area, ending in a steep curve – conveniently located next to a deadly-looking pile of boulders.

    Expected result: in 15 to 20 years, low-income people will have produced low-IQ teenagers who race along the straightaway in their souped-up cars and motorcycles, neglecting to slow down well ahead of the curve. You do the math.

    Actual result: see "expected result," with casualties.

  37. Derek says:

    Finnish Guy, the Internet wasn’t always a hostile environment. Popups were implemented when they seemed a good idea. And they were. They had both fun and beneficial uses.

  38. Ulric says:

    Scott wrote:

    >I guess I won’t be using XP SP2 then, as I use that feature personally.

    The Trusted Sites settings overrides are there for local area network things for things you "use personally".

  39. RobL says:

    oldnewthing and J:

    You miss my point enitrely.

    I am not saying you should re-open the security hole. I wasn’t actually suggesting any kind of solution (if you actually read my post). My post was not attempting to engage you in pursuit of a solution.

    What I am saying is that the tone of the article is unnecesarily pompous, given that it is surely a developer-to-developer conversation, and it represents a total lack of understanding of the motivation of the average real-worldie out there. (think: ivory tower)

    Consider it more of a comment on the marketing of your thoughts than the technicalities.

    "You shouldn’t simply re-open the security hole for the user…" – I don’t believe I noticed myself suggest otherwise. Please read the actual words I type – it is the only method I have of communicating via this type of forum.

    Good Point:

    Thanks man – I think I now understand :-)

  40. oldnewthing says:

    RobL: I didn’t mean to sound accusatory or pompous (how was I pompous exactly?). Here’s the article in short form, hopefully devoid of attitude:

    1. Popups can be positioned.

    2. Company uses this feature.

    3. Bad people position popups.

    4. Restrictions imposed on how popups can be positioned.

    5. Company’s feature stops working.

    6. Company complains, asking for restriction to be lifted.

    7. Restrictions remain in place, temporary workaround provided (adding site to trusted list).

    8. (The point:) Despite workaround, company still needs to change site to conform to new restrictions.

    The company got caught in the crossfire. It’s unfortunate, but these things happen.

  41. Mark Steward says:

    RobL: I think the confusion is that "The real fix is not to rely on the security hole" means "… any more" (and I think J was trying to explain this). The fault of these developers isn’t using an iffy feature (it would certainly be harsh to condemn that), but trying to complain that Microsoft changed the behaviour, when the rest of the world agrees it should be changed.

    But it adds another caveat to Microsoft’s "supported" features, I guess. You can never tell when doing things the "better" way might become the only way, especially in the variegated world of IE.

  42. James says:

    RobL, it may not be your fault when somebody else abuses a feature (any feature) to the point it has to be removed/disabled.

    But it is YOUR responsibility to keep up with the times and changing technology. It is YOUR responsibility to update YOUR application so it plays well with others – the good and bad ones.

    When will people realize that the costs of poor design and (abuse of such designs) is borne by *everyone* – users and vendors and programmers alike!

    BTW, you may be the one of the few who reads Best Practices. Judging from Raymond’s posts, and my own experience, most Windows programmers do not follow Microsoft’s guidelines.

  43. Maybe the real security hole was that a popup window can open another one when closing. Something similar to the Windows behavior when forbidding to load a dll is the system is shuting down. It guarentees that the system will effectively shutdown one time.

    By the other side, allowing a WebPage to open a popup is more like a user setting, that is by default to OFF for the dummy user.

    Being a developper I have never been fooled by any of the popup that try to look like system popup.

    More, IE could open popup with a different title bar to signify to the user that this IS NOT A SYSTEM POPUP….

Comments are closed.