LowesLink Revisited: Same Pig, Different Lipstick

August 6, 2013

I wrote about Loweslink a few months ago, after years of frustration supporting several clients that use Lowe’s Home Improvement Warehouse vendor portal.

You can read through the above post, but in a nut-shell, LowesLink is a Java based portal and, due to both their technical requirements and support recommendations, anyone that uses it is very likely running an old and insecure version of Java in their browser. As a result, most, if not all Lowe’s third party vendors, and likely a good number of their employees, are at a significantly increased risk to virus’s and other computer infections.

Since my writing, Lowe’s has improved their documentation online, as well as removed some of the more criminally negligent advice, like disabling updates to Java and their statements that a 2 year old version of Java is the only supported version.

However, ultimately, it is still the same pig, just with a slightly nicer shade of lipstick.

Main Changes to LowesLink Documentation:

- Removed advice to disable Java Updates

- Updated Documentation to indicate that newer versions of Internet Explorer do work with it

- Direct users to disable insecure/mixed content warning in Internet Explorer

Removed advice to disable Java Updates

In the past, both via their trained telephone support staff and online documentation, LowesLink has directed users to install an old and insecure version of Java, as well as disabling automatic updates.

Since they updated their documentation, Lowes no longer directs the user to disable Java updates on their computer and even mention that a newer version of Java 6 works in some cases.

However, they still recommend installing a version of Java that is no longer supported, stating:

loweslink java requirements

To get the old version, they direct their users to visit oldapps.com to get the old, unsupported version of Java.

What makes this so bad is that Java in the browser is responsible for a large percent of all computer viruses, if not the largest factor. There is almost always a known unpatched Java exploit and that is for the most recent version and doesn’t take into account 0-days. Directing users to install an old version of the Java browser plugin is criminally irresponsible.

Updated Documentation to indicate that newer versions of Internet Explorer Work with LowesLink

This change to the LowesLink documentation is good. I have had Internet Explorer 9 with a new version of Java working for at least a year, if not longer with a client.

In the past, they directed Windows Vista and Windows 7 users to downgrade to Internet Explorer 8, even though as I mentioned, at least for the type of work my vendors do, it has worked okay in Internet Explorer 9 for awhile now.

Direct users to disable insecure/mixed content warning in Internet Explorer

One issue with Loweslink is that instead of serving all of their content via an encrypted SSL connection(HTTPS,) they serve some resources via an un-encrpyted connection. At least on the login page, I believe this was mostly images, but I haven’t looked in awhile.

Most browsers will warn you in some way when this happens, as it opens the user up to several attacks and can compromise the security of the browsing session.

Internet explorer makes this the most obvious, as you get a counter-intuitive popup every time you visit a page that loads content insecurely, warning you.

Rather then fix the issue, which can often just as simple as ensuring all resources are loaded via HTTPS, instead of HTTP, Lowe’s now directs users to disable the warning.

So, the content still gets loaded insecurely on Lowe’s, with the added bonus of removing this warning from ALL other websites as well.

So, for example, if a user goes to their bank website(or an attack/phishing website) and there is a similar issue with mixed content, they won’t see a warning that their account info could potentially be leaked.

loweslink mixed content_warning

The above are the exact instructions, which lead to a document showing how to disable this important, albeit often annoying and counter-intuitive, warning from Internet Explorer.

Conclusion

It is good that Lowe’s has finally updated their documentation. Before it had references to 2011 and I can say that it hadn’t ever been updated in the 2-3 years I have been supporting it. Now, they even have a revision date on some of the documentation.

However, they haven’t really changed anything. It looks a bit nicer and the advice is a bit better.

However, Lowe’s is still getting vendors to install an insecure version of Java, which significantly increases the risk that a vendor will get a computer virus. And, Lowes is still recommending changes to browser settings that further decrease browser security.

About these ads

2 Responses to “LowesLink Revisited: Same Pig, Different Lipstick”

  1. Ben Says:

    I’m happy to hear that someone else shares my disdain for LowesLink setups. I’m setting one up now and ran across this blog to see if I’m the only one confused by a vendor requiring Java 6 & greatly reduced IE settings. I’m guessing the folks at LowesLink hired a Java developer a few years ago to write it and not a soul has touched the code since.

  2. junger95 Says:

    Yes, it has been a thorn in my side for a long time. I think you are right that it is just some really old Java code.

    I can see how at the time they developed the site, years ago, using Java might of made sense and was powerful enough to do everything they needed. I can also understand that for a company as big as Lowe’s, with a lot of corporate overhead, making a change is going to be a slow and tedious process.

    However, I do feel that it is irresponsible of Lowe’s to require a system that almost always ensures Lowe’s Vendors/Employees are running an insecure system.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 44 other followers