[Full-Disclosure] IE Web Browser: "Sitting Duck"
From: Edge, Ronald D (edge_at_indiana.edu)
Date: 06/29/04
- Previous message: http-equiv_at_excite.com: "SUPER SPOOF DELUXE Re: [Full-Disclosure] Microsoft and Security"
- Next in thread: Georgi Guninski: "Re: [Full-Disclosure] IE Web Browser: "Sitting Duck""
- Reply: Georgi Guninski: "Re: [Full-Disclosure] IE Web Browser: "Sitting Duck""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "full-disclosure@lists.netsys.com" <'full-disclosure@lists.netsys.com'> Date: Tue, 29 Jun 2004 09:25:32 -0500
I find it pretty stunning that now even the mainstream corporate online
IT press is jumping down Microsoft's throat over the vulnerabilities and
problems with the Microsoft IE browser.
I recall last week we had a thread in which one poster was defending
Microsoft, and insisting we were just complaining about the "GUI
interface", and ignoring all efforts to focus attention on such facts as
pointed out even in this CNET news.com article:
"IE a sitting duck?"
"But Mozilla claims some inherent security advantages as well. Internet
Explorer is a fat target for attackers, in large part because it
supports powerful, propriety Microsoft technologies that are notoriously
weak on security, like ActiveX."
http://news.com.com/IE+flaw+may+boost+rival+browsers/2100-7355_3-5250697
.html?tag=nefd.lede
Even CERT has issued an advisory that is really quite amazing in its
bluntness:
http://www.kb.cert.org/vuls/id/713878
which was last updated June 25, 2004 in the wake of the download.ject
attack by what appears to have been Russian criminal gangs out of a web
site now shut down in Russia.
"Use a different web browser"
"There are a number of significant vulnerabilities in technologies
relating to the IE domain/zone security model, the DHTML object model,
MIME type determination, and ActiveX. It is possible to reduce exposure
to these vulnerabilities by using a different web browser, especially
when browsing untrusted sites. Such a decision may, however, reduce the
functionality of sites that require IE-specific features such as DHTML,
VBScript, and ActiveX. Note that using a different web browser will not
remove IE from a Windows system, and other programs may invoke IE, the
WebBrowser ActiveX control, or the HTML rendering engine (MSHTML). "
Ron.
Ronald D. Edge
Director of Information Systems
Indiana University Intercollegiate Athletics
edge@indiana.edu (812)855-9010
http://iuhoosiers.com
http://mainsleazespam.com
Corporate IT's reaction to spyware has been surprising: it's been
largely swept under the rug. The problem is that you can't hide an
elephant by sweeping it under the rug. It leaves quite a bulge.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: http-equiv_at_excite.com: "SUPER SPOOF DELUXE Re: [Full-Disclosure] Microsoft and Security"
- Next in thread: Georgi Guninski: "Re: [Full-Disclosure] IE Web Browser: "Sitting Duck""
- Reply: Georgi Guninski: "Re: [Full-Disclosure] IE Web Browser: "Sitting Duck""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
