RE: [Full-Disclosure] How big is the danger of IE?

From: joe (mvp_at_joeware.net)
Date: 07/08/04

  • Next message: Eric Paynter: "RE: [Full-Disclosure] How big is the danger of IE?"
    To: "'Skander Ben Mansour'" <full-disclosure@benmansour.net>, "'Yaakov Yehudi'" <maximumdisclosure@yahoo.com>, <FULL-DISCLOSURE@lists.netsys.com>
    Date: Thu, 8 Jul 2004 17:17:43 -0400
    
    

    http://www.kb.cert.org/vuls/id/713878

    The link above is the advisory that theregister is talking about. I know it
    is unusual for theregister but they seemed to have missed a hefty part of
    the whole advisory when reporting it.

    Here is the specific section:

    III. Solution
    Until a complete solution is available, consider the following workarounds.

    Disable Active scripting and ActiveX

    Disabling Active scripting and ActiveX controls in the Internet Zone (or any
    zone used by an attacker) appears to prevent exploitation of this
    vulnerability. Disabling Active scripting and ActiveX controls in the Local
    Machine Zone will prevent widely used payload delivery techniques from
    functioning. Instructions for disabling Active scripting in the Internet
    Zone can be found in the CERT/CC Malicious Web Scripts FAQ. See Microsoft
    Knowledge Base Article 833633 for information about securing the Local
    Machine Zone. Also, Service Pack 2 for Windows XP (currently in beta
    release) includes these and other security enhancements for IE.

    Apply the Outlook Email Security Update

    Another way to effectively disable Active scripting in Outlook is to install
    the Outlook Email Security Update. The update configures Outlook to open
    email messages in the Restricted Sites Zone, where Active scripting is
    disabled by default. In addition, the update provides further protection
    against malicious code that attempts to propagate via Outlook. The Outlook
    Email Security Update is available for Outlook 98 and Outlook 2000. The
    functionality of the Outlook Email Security Update is included in Outlook
    2002 and Outlook Express 6. Outlook 2003 includes these and other security
    enhancements.

    Read and send email in plain text format

    Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured to view
    email messages in text format. Consider the security of fellow Internet
    users and send email in plain text format when possible. Note that reading
    and sending email in plain text will not necessarily prevent exploitation of
    this vulnerability.

    Maintain updated anti-virus software

    Anti-virus software with updated virus definitions may identify and prevent
    some exploit attempts. Variations of exploits or attack vectors may not be
    detected. Do not rely solely on anti-virus software to defend against this
    vulnerability. US-CERT maintains a partial list of anti-virus vendors.

    Do not follow unsolicited links

    Do not click on unsolicited URLs received in email, instant messages, web
    forums, or internet relay chat (IRC) channels. While this is generally good
    security practice, following this behavior will not prevent exploitation of
    this vulnerability in all cases, particularly if a trusted site has been
    compromised or allows cross-site scripting.

    Use a different web browser

    There are a number of significant vulnerabilities in technologies relating
    to the IE domain/zone security model, the DHTML object model, MIME type
    determination, and ActiveX. It is possible to reduce exposure to these
    vulnerabilities by using a different web browser, especially when browsing
    untrusted sites. Such a decision may, however, reduce the functionality of
    sites that require IE-specific features such as DHTML, VBScript, and
    ActiveX. Note that using a different web browser will not remove IE from a
    Windows system, and other programs may invoke IE, the WebBrowser ActiveX
    control, or the HTML rendering engine (MSHTML).

     

    -----Original Message-----
    From: full-disclosure-admin@lists.netsys.com
    [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Skander Ben
    Mansour
    Sent: Thursday, July 08, 2004 3:59 PM
    To: 'Yaakov Yehudi'; FULL-DISCLOSURE@lists.netsys.com
    Subject: RE: [Full-Disclosure] How big is the danger of IE?

    <SNIP>

    CERT recently recommended using a different web browser:
    http://www.theregister.co.uk/2004/06/28/cert_ditch_explorer/
    http://www.us-cert.gov/current/current_activity.html#iis5
    "There are a number of significant vulnerabilities in technologies relating
    to the IE domain/zone security model, the DHTML object model, MIME type
    determination, and ActiveX. It is possible to reduce exposure to these
    vulnerabilities by using a different web browser, especially when browsing
    untrusted sites. Such a decision may, however, reduce the functionality of
    sites that require IE-specific features such as DHTML, VBScript, and
    ActiveX. Note that using a different web browser will not remove IE from a
    Windows system, and other programs may invoke IE, the WebBrowser ActiveX
    control, or the HTML rendering engine (MSHTML). "

    I hope this helps.

    Best Regards,

    Skander Ben Mansour

    -----Original Message-----
    From: full-disclosure-admin@lists.netsys.com
    [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Yaakov Yehudi
    Sent: Thursday, July 08, 2004 7:59 AM
    To: FULL-DISCLOSURE@lists.netsys.com
    Subject: [Full-Disclosure] How big is the danger of IE?

    I would be interested to hear just how big the danger of IE is.
    How could it affect the privacy of big business?, or any business for that
    matter?

    or what about the Government - could information leak from govenrment
    employees computers? They do something to stop that right?

    Bob Palliser

                    
    __________________________________
    Do you Yahoo!?
    New and Improved Yahoo! Mail - Send 10MB messages!
    http://promotions.yahoo.com/new_mail

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Eric Paynter: "RE: [Full-Disclosure] How big is the danger of IE?"

    Relevant Pages

    • RE: [Full-Disclosure] IE Web Browser: "Sitting Duck"
      ... bringing up items that were NOT core base components - they were UI ... Subject: IE Web Browser: "Sitting Duck" ... "But Mozilla claims some inherent security advantages as well. ... determination, and ActiveX. ...
      (Full-Disclosure)
    • Re: dotnet activex equivalent?
      ... have to supply a MSI file to install this policy ?)... ... Else you are left with using a regular ActiveX control or a Java applet. ... how can I get client machine access from within a web browser? ... I would like to create an application that runs in a web browser. ...
      (microsoft.public.dotnet.languages.vb)
    • Re: Rapid Application Decline?
      ... performed through Web browser interfaces." ... to have some crap on download.com as well:]). ... I also bet a cookie that no browser (ActiveX, ...
      (borland.public.delphi.non-technical)
    • Re: automatic sutdown
      ... You must accept the update ActiveX control so it can install and check your ... -What do the Outlook Icons Mean? ...
      (microsoft.public.outlook.general)
    • Re: Force user to use outlook and custom organizational form
      ... > Exchange Web Forms yet, but I think an ActiveX control should be able ... An ActiveX could be used, ... There are actions and events in Outlook to ...
      (microsoft.public.exchange.development)