Re: CRITICAL??? - Seven New Flaws in Internet Explorer not addressed by MS03-040 or MS03-048

From: Fish (fish_at_INFIDELS.ORG)
Date: 11/28/03

  • Next message: Thomas Lee: "Re: Security Webcast Week: - First week in December" 
    Date:         Fri, 28 Nov 2003 00:37:37 -0800
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Nick FitzGerald wrote:

    <snip>

    > If you give half a nob of goat s**t about your security,
    > turning off active scripting has been necessary since IE
    > has supported it. [...]

    <snip>

    > "Active content" is just wrong.
    >
    > Self-modifying active content doubly so.
    >
    > If you must use IE just say no to scripting

    You'll get no argument from me. :)

    > as nearly every exploitable vulnerability in IE ever has
    > required scripting to actually make it usable and thus useful
    > to your potential attackers.
    >
    > However, if you or your users prefer web sites that work
    > (because so many of them are "designed" ...
    <snip>
    > ...[to use] scripting, [...]) then consider using another
    > browser.

    Or selectively dynamically disable/enable scripting on a web-page by
    web-page (or site by site) basis via a product such as AdCruncher
    Proxy (http://home.sprintmail.com/~dtrout/AdCruncher/ReadMe.html),
    which not all pop-up blockers do.

    (Is this better Russ? :)

    - --
    "Fish" (David B. Trout)
       fish@infidels.org

    Fight Spam! Join CAUCE!
    http://www.cauce.org/

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.0.4

    iQA/AwUBP8cJUEj11/TE7j4qEQI8KwCfS4hW11r3/j15ufy5Ut3h1e0W2zcAoJRO
    XtzbKLICGDpgh67hqkMvCI+h
    =q75P
    -----END PGP SIGNATURE----- 

    ----
NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
code "NT1003" when registering to take the TICSA exam at www.2test.com.
Prove to your employer and peers that you have the knowledge and
abilities to be an active stakeholder in today's enterprise security.
Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
12/31/03 and cannot be used in combination with other offers.
----
  • Next message: Thomas Lee: "Re: Security Webcast Week: - First week in December"

    Relevant Pages

    • Re: META redirect
      ... Most sites serve images, too, or use CSS, but they are just as optional as client-side scripting. ... However, the XMLHTTP object is provided by ActiveX, so even that limited action will necessitate the design and implementation of a system that will undergo graceful degradation if the author intends to use that increasingly popular feature. ... you seem to have assumed that a user explicitly disabling scripting is the only concern. ...
      (comp.infosystems.www.authoring.html)
    • Re: Various DOM-related wrappers (Code Worth Recommending Project)
      ... much client side scripting is used as it is testing a client side ... Lower level functionality that is required by the higher level ...
      (comp.lang.javascript)
    • Re: Booming or Fuming? Are You Alive? Or Are You Fading Away?!
      ... >> automating repetitive tasks through scripting. ... >> is a very powerful reason for solving problems ... systemguard by someone who is otherwise incable of doing so with straight ...
      (microsoft.public.win2000.cmdprompt.admin)
    • Re: Booming or Fuming? Are You Alive? Or Are You Fading Away?!
      ... >> automating repetitive tasks through scripting. ... >> is a very powerful reason for solving problems ... systemguard by someone who is otherwise incable of doing so with straight ...
      (microsoft.public.windowsxp.perform_maintain)
    • Re: GP/XP-SP2 and Windows Update Problem
      ... The security descriptor on the BITS service was changed by ... Type the follow command in the Open box. ... -- torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway Administration scripting examples and an ONLINE version of the 1328 page Scripting Guide: ...
      (microsoft.public.windowsxp.security_admin)