Re: CRITICAL??? - Seven New Flaws in Internet Explorer not addressed by MS03-040 or MS03-048
From: Nick FitzGerald (nick_at_VIRUS-L.DEMON.CO.UK)
Date: Fri, 28 Nov 2003 17:08:18 +1300 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
"Kusnierz, Danny" <dkusnier@BALL.COM> wrote:
> There is an EXPLOIT available 11/25/03 using a combination of seven new
> flaws discovered by Liu Die Yu which allows a properly crafted web site to
> download and execute arbitrary code without user intervention using
> Internet Explorer on a fully patched machine. I tried it myself after it
> was reported by Dan Drumm in our Telecom dept. and we're currently
> discussing the necessity of turning off Active Scripting.
If you give half a nob of goat s**t about your security, turning off
active scripting has been necessary since IE has supported it.
Active scripting should, at most, _ONLY_ be enabled in the Trusted
Sites securty zone _AND_ you have to make sure that not just any user
can add sites to that zone.
Did you ever ask yourself why MS shipped IE with _both_ an "Internet
zone" and a "Retsricted Sites zone"?
To any sane person _they are the same thing_.
The answer is simple -- it could not act all big brother-ish and
disable scripting for world plus dog as it had to have scripting to
compete with the absolute stupidity of scripting that had already been
started in competitive browsers (and, of course, that meant that its
scripting had to be at least as feature-rich as the competition (and
preferably more so) which meant that its scripting had to be at least
as insecure as (and preferably more so) that of competition -- but we
"Active content" is just wrong.
Self-modifying active content doubly so.
If you must use IE just say no to scripting as nearly every exploitable
vulnerability in IE ever has required scripting to actually make it
usable and thus useful to your potential attackers.
However, if you or your users prefer web sites that work (because so
many of them are "designed" by intellectually impaired chimpanzees
whose preferred authoring tools cannot even make a link without
defining a table and using scripting, and who have less than no concept
that they are part of "the security problem") then consider using
---- NTBugtraq subscribers save $103.00 off the TICSA exam by using promo code "NT1003" when registering to take the TICSA exam at www.2test.com. Prove to your employer and peers that you have the knowledge and abilities to be an active stakeholder in today's enterprise security. Become TICSA certified www.trusecure.com/ticsa. Promotion expires 12/31/03 and cannot be used in combination with other offers. ----