Re: CRITICAL??? - Seven New Flaws in Internet Explorer not addressed by MS03-040 or MS03-048

From: Nick FitzGerald (nick_at_VIRUS-L.DEMON.CO.UK)
Date: 11/28/03

  • Next message: CORE Security Technologies: "[ANNOUNCE] Python network security tools: Pcapy, Impacket, InlineEgg"
    Date:         Fri, 28 Nov 2003 17:08:18 +1300

    "Kusnierz, Danny" <dkusnier@BALL.COM> wrote:

    > There is an EXPLOIT available 11/25/03 using a combination of seven new
    > flaws discovered by Liu Die Yu which allows a properly crafted web site to
    > download and execute arbitrary code without user intervention using
    > Internet Explorer on a fully patched machine. I tried it myself after it
    > was reported by Dan Drumm in our Telecom dept. and we're currently
    > discussing the necessity of turning off Active Scripting.


    If you give half a nob of goat s**t about your security, turning off
    active scripting has been necessary since IE has supported it.

    Active scripting should, at most, _ONLY_ be enabled in the Trusted
    Sites securty zone _AND_ you have to make sure that not just any user
    can add sites to that zone.

    Did you ever ask yourself why MS shipped IE with _both_ an "Internet
    zone" and a "Retsricted Sites zone"?

    To any sane person _they are the same thing_.

    The answer is simple -- it could not act all big brother-ish and
    disable scripting for world plus dog as it had to have scripting to
    compete with the absolute stupidity of scripting that had already been
    started in competitive browsers (and, of course, that meant that its
    scripting had to be at least as feature-rich as the competition (and
    preferably more so) which meant that its scripting had to be at least
    as insecure as (and preferably more so) that of competition -- but we

    "Active content" is just wrong.

    Self-modifying active content doubly so.

    If you must use IE just say no to scripting as nearly every exploitable
    vulnerability in IE ever has required scripting to actually make it
    usable and thus useful to your potential attackers.

    However, if you or your users prefer web sites that work (because so
    many of them are "designed" by intellectually impaired chimpanzees
    whose preferred authoring tools cannot even make a link without
    defining a table and using scripting, and who have less than no concept
    that they are part of "the security problem") then consider using
    another browser.


    Nick FitzGerald

    NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
    code "NT1003" when registering to take the TICSA exam at
    Prove to your employer and peers that you have the knowledge and
    abilities to be an active stakeholder in today's enterprise security.
    Become TICSA certified  Promotion expires
    12/31/03 and cannot be used in combination with other offers.

  • Next message: CORE Security Technologies: "[ANNOUNCE] Python network security tools: Pcapy, Impacket, InlineEgg"

    Relevant Pages

    • Re: How dangerous is Java Script?
      ... What is the danger? ... Could Java Script and Active Scripting being Turned On in Internet ...
    • Re: Docs on using Ghostscript in place of Javascript?
      ... There is a technology from Microsoft known as Active Scripting that is ... Internet Explorer can use that scripting language. ... control over the software your users have installed, ...
    • Re: Java Scripts in Internet Explorer
      ... Active scripting is indeed set to "Enable". ... JavaScript works fine on other sites. ... I cannot see the source code of the Java Script on the second website. ...
    • Scripting for the scriptless with OWC in IE (GM#005-IE)
      ... By GreyMagic Software, Israel. ... Scripting for the scriptless with OWC in IE. ... with a bit of manipulation it is possible to get Active Scripting ...
    • Re: OWA in 2007
      ... It sounds like IE isn't executing some of the page's scripting functions. ... it will show (at the bottom right) what zone your ... server into a different zone, such as 'Local Intranet' or 'Trusted Sites'. ...