Re: Spyware and Adware affect every internet user
- From: Fuzzy Logic <bob@xxxxxxxxxxxxxxxxxxx>
- Date: Tue, 02 May 2006 20:21:22 GMT
Sebastian Gottschalk <seppi@xxxxxxxxx> wrote in
news:4bni0hF12ds9iU1@xxxxxxxxxxxxxx:
Fuzzy Logic wrote:
And yes, I'm aware of the irony that an IE user can't learn about the
vulnerabilities that well. But as IE isn't suitable as a webbrowser
anyway, who cares?
Apparently you do. I've been using it for years without a single
incident.
But you're aware that this is dedicated either to luck or being unable
to recognize the problem? I just remember a cracked adserver serving a
trojan horse exploiting a formerly unpatched vulnerability...
Anyone with XP SP2 was immune.
Fine, but MSIE is insecure by design. It will always be insecure no
matter how much you patch. And Microsoft stopped patching certain
critical vulnerabilities back in April '03!
So you're saying Microsoft (or any other software company)
intentionally writes insecure software?
In case of IE: probably yes. I guess they've bet on being able to take
over the WWW before the big issues emerge.
The best you can do is findFine, but MSIE has never been designed to be used on any untrusted
well supported OS/browser YOU like, learn and use it's security
features, keep it patched and up to date, practice safe surfing and
be diligent and you will likely be as 'secure' as you can be.
network.
So YOU say. Regardless of the browser you use it will have
vulnerabilities.
No, there are numerous _design_ errors that make it unsuitable.
One good example is the cross-site/domain policy in JavaScript. As the
security researcher Liu Die Yu pointed out [1], the implementation is
based on a script from a trusted server enforcing access denial from
untrusted servers, but there's no protection from scripts from untrusted
servers accessing trusted zones.
Turn off scripting if you are concerned or change the security level for it.
Gregor Guninski pointed out that ActiveX is also a design error: What if
a vendor has shipped a signed defective (read: exploitable) ActiveX
control, but has some important software bind to exactly that version
and revoking it (with the use of a CRL) would break that software?
And well, this happened: MS Office Web Control 10 [2]
Means: Every ActiveX control, even when preinstalled, is evil. Always.
Just not counting many other ActiveX issues (like autoloading, install
redirection and invokation side-effects).
Don't run ActiveX if you are concerned or configure it for sites that really require it.
And there're many other issues [3] that cross-site scripting and
spoofing actually are features than vulnerabilities. And I still didn't
include the even worse flaws of versions prior to IE6SP2. (F.e. it's no
problem to move an image over both the address bar and a download
dialogue!
I am talking about a properly maintained and up to date system. This means XP SP2 and all updates installed.
[1] http://www.safecenter.net/crosszone/ie/SaveRef.htm
[2] http://www.guninski.com/signedactivex2.html
[3] http://web.inf.tu-dresden.de/~s9053014/iesec.xhtml
Regardless of the browser you use there will be vulnerabilties/risks. If you don't like IE or feel it's unsafe
then don't. Here's a good read if you think switching to Firefox will somehow make your life better:
http://mywebpages.comcast.net/SupportCD/FirefoxMyths.html
.
- Follow-Ups:
- Re: Spyware and Adware affect every internet user
- From: Sebastian Gottschalk
- Re: Spyware and Adware affect every internet user
- References:
- Re: Spyware and Adware affect every internet user
- From: Fuzzy Logic
- Re: Spyware and Adware affect every internet user
- From: Sebastian Gottschalk
- Re: Spyware and Adware affect every internet user
- Prev by Date: Re: Spyware and Adware affect every internet user
- Next by Date: Re: Spyware and Adware affect every internet user
- Previous by thread: Re: Spyware and Adware affect every internet user
- Next by thread: Re: Spyware and Adware affect every internet user
- Index(es):
Relevant Pages
|
