Re: How to secure Internet Explorer

From: Rev. Bob 'Bob' Crispen (revbob@crispen.org)
Date: 11/23/02

  • Next message: Girts Bitenieks: "Microsoft ms02-66 fix Q328970 for IE cmd execvulnerabilty" 
    Date: 23 Nov 2002 15:21:51 -0000
From: "Rev. Bob 'Bob' Crispen" <revbob@crispen.org>
To: focus-ms@securityfocus.com

    The kindly Rev. overheard "B F" <zaphod_b71@hotmail.com> saying on
    17 Nov 2002:

    > A couple of weeks ago I rolled out IE6 SP1 in the hope for some
    > silence in the ongoing battle of rolling out new patches for IE
    > / Outlook. Ironically some messages on bugtraq indicated that only
    > with this version the exploit works perfectly.

    I'm reacting to the subject line, so this is a bit tangential.

    I wouldn't be a bit surprised if a significant number of people on this
    list treated both MSIE and Outlook as dangerous software.

    In my case, I haven't allowed Outlook, Outlook Express, and the Outlook
    Address Book within ten feet of any of my computers. I haven't
    bothered to remove MSIE, but I only use it on a handful of trusted
    sites while I use Opera for the bulk of my web surfing (I make a point
    of keeping an eye out for security holes in Opera). In addition (don't
    worry, all of this is to make a point) I run a hardware firewall, which
    I've checked with a port scanner, and I send requests on port 113 (the
    only port to which my firewall responded) to a nonexistent host on my
    net. I run ZoneAlarm, and I regularly check on the programs that have
    permission to access the net. I encrypt any files on my machine that
    contain personal information, and I run (and update at least weekly) an
    anti-virus program and AdAware. I visit Windows Update regularly, but
    I don't by any means install everything they want me to install, and I
    absolutely don't let Windows Update run automatically.

    No doubt some people on this very list would consider my practices
    unnecessary, while others would think they're far too risky. But
    that's precisely the point (finally, I get to the point!): *you* need
    to determine the tradeoffs *you* want to make in security versus
    convenience for your own machine. After all, it's your machine. I
    can't think of a subject that interests me less than how safely you
    operate your machine, and I'm sure you can say the same.

    And that brings me to my quarrel with the subject line. I believe it's
    impossible to secure MSIE in an absolute sense without disconnecting it
    from the internet. Some would say even then it's dicey. The same goes
    for other applications, to a greater or lesser extent. What's more, if
    you are under the illusion that any software can be made absolutely
    secure, you are far likelier to engage in dangerous behavior than if
    you have a more realistic idea of the risks.

    The question isn't making MSIE secure, which is impossible and bad for
    you to think about in those terms, but rather (1) knowing the current
    risks, (2) knowing the effects, good and bad, of the current patches,
    and (3) updating and operating MSIE in a way that strikes the kind of
    balance you want to maintain between security and convenience for your
    system.

    You absolutely can update MSIE so that it runs *more* securely, but, as
    you've discovered yourself, not every update is beneficial. Indeed,
    some updates carry undesirable baggage, some unintentionally (as I
    believe is the case with the update you've discussed) and some
    intentionally (as in the installation of Digital Rights Management on
    your system).

    So, to make a long story short (too late!), I think securing MSIE is
    impossible, while operating MSIE *more* safely is not only possible,
    but a darn good idea.

    And if you're shocked at a security patch from Microsoft making your
    machine less secure, simply stop and think about who wrote, tested, and
    delivered the software with security holes in the first place.
    Consider as well who should care more, you or some corporation, about
    the safety of your computer and your data. Do that, and you'll be
    taking the first step on the path to wisdom. 

    -- 
Rev. Bob "Bob" Crispen
bob at crispen dot org
Sometimes the journey *is* its own reward - but not when you're
trying to get to the bathroom in time. - John Kensmark

    Relevant Pages

    • Re: Why dont the animated gifs animate in my emails in MS Outlook
      ... not using Email or the internet would be even more secure. ... Microsoft removed animation support from Outlook ... 2007 for security reasons. ...
      (microsoft.public.outlook.general)
    • How Can I get OE onto an External Drive ?
      ... I would like to have my Outlook Express program on ... Folders" and Address ... This way it would be more secure from people who ... Security ...
      (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
    • Re: Outlook vs. Outlook Express
      ... The only question should be "Do you need the extra features in Outlook?" ... far as security, it depends on the versions of each, with the latest ... Outlook is probably more secure if you have the ... "Ron B" wrote in message ...
      (microsoft.public.outlook.general)
    • Re: [Full-disclosure] Compromising pictures of Microsoft Internet Explorer!
      ... You are a good researcher of computer security. ... But if your talent is going to be wasted like this, you are nothing more to us than a script kiddie. ... MSIE performed admirably compared to other browsers (although ... unless code execution path can be affected later on. ...
      (Full-Disclosure)
    • Re: Internet Explorer vs. Firefox
      ... > security holes. ... > I have tried Firefox and Mozella both, but without uninstalling my IE 5.5. ... X-Newsreader: Microsoft Outlook Express 5.50.4922.1500 ... Get MSIE 6, and pay attention to the update ...
      (microsoft.public.security)