Re: Another Scripting Hole In Microsoft IE Exposes Local Files
From: Ken Hagan (K.Hagan@thermoteknix.co.uk)Date: 01/07/02
- Next message: aShore Software: "Protect Your PC From Unwanted Users"
- Previous message: lyalc: "Re: Security on iPlanet"
- In reply to: Walter Dnes: "Re: Another Scripting Hole In Microsoft IE Exposes Local Files"
- Next in thread: Barry Margolin: "Re: Another Scripting Hole In Microsoft IE Exposes Local Files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Ken Hagan" <K.Hagan@thermoteknix.co.uk> Date: Mon, 7 Jan 2002 10:49:54 -0000
"Walter Dnes" <waltdnes@waltdnes.org> wrote...
>
> Howsabout if I point out a few counter-examples to your claim that
> IE is totally separate ? If IE isn't integrated into the OS at a low
> level, then kindly explain...
>
> - why it is that when a bug is discovered in Windows Media Player
> that allows "skins" to execute malicious code, the immediate
> workaround is... turning off scripting *IN INTERNET EXPLORER* ?
>
> - why it is that when a bug is discovered in Outlook Express that
> that allows email to execute malicious code merely by viewing the
> infected email, the immediate workaround is... turning off
> scripting *IN INTERNET EXPLORER* ?
Because the Media Player and Outlook Express are part of the same
application suite as Internet Explorer. The use a common engine for
HTML, and that engine has a scripting model that is WAY too powerful.
There is nothing that I'd call "low-level" integration. That is, all
the software is running in the security context of the currently logged
in user, just like Opera. If IE/OE/MP and the rest were supported by
some kind of daemon (service) process then there would indeed be a
case for MS to answer.
Then again, these applications are bundled with the OS, so users will
have them installed whether they use them or not. Simply deleting the
EXEs won't do, since they are mostly just containers for that actual
mechanics, and the real code lives in numerous (scriptable) DLLs.
> Also notice that many users of IE got infected by NIMDA *BY MERELY
> VIEWING AN INFECTED WEBPAGE*, because *WINDOWS* executed the webpages'
> code. Somehow, that type of stuff doesn't seem to happen to Opera or
> Netscape, even with scripting enabled.
As I said, above and in an earlier post, the scripting model in IE is
much too powerful for its own good.
- Next message: aShore Software: "Protect Your PC From Unwanted Users"
- Previous message: lyalc: "Re: Security on iPlanet"
- In reply to: Walter Dnes: "Re: Another Scripting Hole In Microsoft IE Exposes Local Files"
- Next in thread: Barry Margolin: "Re: Another Scripting Hole In Microsoft IE Exposes Local Files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
