Re: Is MSIE dead as a browser - if Microsoft does not patch it then it is as far as I am concerned!

From: WinGuy (no_spam_at_nomail.bot)
Date: 07/04/04 

Date: Sun, 04 Jul 2004 16:37:02 GMT

"BeamGuy" <nobody@spam.com> wrote in message
news:%23mmNhtTYEHA.212@TK2MSFTNGP12.phx.gbl...
> > I do hope you applied the patch before you turned it back on. I'm not
sure
> > you can tolerate much more negative karma. The patch along with proper
> > configuration of IE should result in getting very few informative little
> > messages, although a few might quite purposefully seek out you and other
> > users of IE.
>
> According to these people the patch does not plug the hole... And if I
follow
> the links to the orginal report of the vulnerability 10 months ago the
code
> is so simple I am tempted to try it myself. I assume they mean it does not
> plug the whole with scripting and activex in their default settings.
> http://isc.sans.org/diary.php

I do not see such a claim at that above link; perhaps it has been modified
since you saw it. And the link info does not quite seem to jibe with what I
think I read in the MS info about the IE patch, the link to which I gave in
a previous message in this topic, in that link you provided above and when I
read it states "the patch will just turn off the ADODB.Stream ActiveX
Control". But that is not my understanding because I understood that only
and very specifically the write-to-disk functionality of that control was
disabled by the MS patch. Perhaps someone else has info to the contrary and
that other functionality of the control remains. I've never used that
control from a programming environment so all I can relate to is what MS
appears to say in print and to trust other source quotes after some
questioning to help assure accuracy.

> I have not found any settings tighter than the default that give an
acceptable
> web experience.

I feel that the default settings for IE are *not* safe to use.

I don't allow programs to run in an iframe, I don't allow usage of unsigned
or unauthenticated components or scripting of components, I don't allow
redirection without prompt or navigation across domains but I do allow
redirection by meta refresh, I don't allow mixed content without prompt, I
don't allow installation of desktop items, java and software channel
permissions are set to high safety, active scripting is allowed but paste
operations are not allowed by script, install on demand is not allowed in
any case at all, and synchronization on schedule is not allowed. These are
not default settings but they let me see and use everything, including my
usage of online banking. I also use ZoneAlarm Pro, which gives much finer
granularity over webpage code content permissions (the free version of
ZoneAlarm does not provide this). In general, I set ZAP to disallow most
everything in webpages and I only enter specific exceptions for specific
domains; somewhat of a pain at times but a very, very safe practice. And of
course, I keep MS updates current. I also use the NoFlash! multimedia ad
blocking, and for a popup killer (IE specific} I use Silver Bullet, which is
very hard to find on the net but it's trainable and I really think it's the
best.

I also use Ad-aware 6, Spybot (including its 2 resident modules, BHO control
etc. available in its advanced settings), SpywareGuard, SpywareBlaster, and
Dialer Control (a German product with non popup ads that ZoneAlarm and
NoFlash! disallow) to prevent unauthorized usage of the phone modem. I also
use AVG Pro, because of its granularity of settings that the free version
does not provide for firewall functions. All these things I do on a personal
usage computer, which sits behind a router.

I do all those things for an IIS5 server, too, which sits behind its very
own router and with no LAN access at all. It usually gets attacked at least
once, daily. I use an extra and additional firewall with the server, too
(BlackIce). It also has very extensive NTFS custom permission settings,
which is really key to IIS security, as well as being constantly kept
updated in all regards. Consequently, it has successfully warded off every
single attack it has suffered in nearly 2 years of operation. It was not
susceptible to the dual-method exploit that could cause IIS to redirect to
that Russian site which ran malicious code that the patch MS came out with
fixed in IE. But everything works with IIS, all functionality has always
been enabled without exception and it has never (yet) been compromised or
used in an abusive fashion. I feel pretty confident with its security, and I
address new issues immediately upon discovering them, I keep a close eye on
its activity, and it emails me if something weird happens. About all it is
susceptible to is a DoS because of an intense attack that still will not
actually compromise the server.

I subscribe to email security alerts, including from Microsoft, and I take
immediate action if needed - I know the script kiddies are drooling and
slobbering, just looking for ways to be annoying or worse; what a waste of
talent. Running IIS is a responsibility to others, and those others not
going to suffer from a compromised server under my admin because of my being
lazy in doing what should be done and in a timely fashion. If I couldn't do
the responsibility thing and all it implies then I would not administer. I
have no pity for admins that got cought having been lazy and in result IE
users got compromised - it should not have happened via IIS admin inaction
and that part of the exploit was very avoidable. That was a breach of public
trust, IMHO. Well, now those admins have learned a lesson. So have their
website users.

This is not a plug-n-play world when it comes to using any browser or
server. One must educate themselves on how to properly use an automobile,
and the same for using internet accessing programs. Everything can be abused
or sabotaged in some way, diligence is constantly required. I do educate
myself, I bother to learn -both to protect myself and to help protect
against potential abuse to others. I don't complain that it's not all
already done for me or if a complicated fix isn't immediately available. I
would complain if flaws don't get fixed at all, because interim options are
then limited without good cause and that is nothing less than negligence.

> > Annoyance is understandable and unavoidable. Why and how annoyance is
> > directed is truly a matter of free will that can be productive, or it
can be
> > counter productive. In the universe as mankind currently understands it,
> > perfection is but an ultimately unattainable goal.
>
> Indeed - this is likely not the place for this discussion and I have
likely gone
> too far to the emotional side of things. I apologize if I offened anyone.
Maybe
> I'm fact I am glad that all this has come to a head right now. After
having tried
> the Firefox browser I find it to be quite a nice little toy. Perhaps open
source
> is indeed the way of the future.
>
> I'm still not sure that I trust my computer to do online banking anymore,
> even if I am pretty sure I have not been infected. I am very concerned for
> all my friends and relatives who will not take the time to use anything
else
> that does not come in the box, but with all the publicity these days what
> comes in the box may soon change.
>
>
http://www.cnn.com/2004/TECH/internet/07/02/alternative.browsers.ap/index.html

Even with alternative browsers, some things still require usage of IE if
Windows is the operating system. I too feel for those who will not "take the
time", although I think the proper terminology is "responsibility". Maybe in
50 years from now those people will enjoy what is not practical today.
Perhaps something like Hal will really exist then.

Relevant Pages

  • RE: W3SVC, SMTP, IISAdmin services stopping..hacking?
    ... Why is this patch not included with he ... May Cause Web Server ... >of URLScan blocks SEARCH requests such as this one. ... >rollup patch for IIS: ...
    (microsoft.public.inetserver.iis.security)
  • RE: Microsoft IIS problems (Current)
    ... Subject: Microsoft IIS problems ... patches to several NT servers that were displaying all the previously told ... > This patch seems not to fix the problem with our IIS 4 servers. ... >>says its for Microsoft Index server (a lot of people are not running Index ...
    (Bugtraq)
  • Re: MP stopped working on Windows 2003 DC after MS04-037 patch
    ... I can't nail it down to that patch though, ... sites with the same configurations. ... IIS, then reinstalling IIS and the site. ... > I was able to resolve the issue by removing the site server as a MP - then ...
    (microsoft.public.sms.misc)
  • Re: [RFC][PATCH] O(1) Entitlement Based Scheduler
    ... allows the scheduling tuning parameters (i.e. half life and time slice ... various benchmarks to determine what are the best settings for various ... half life but a shorter half life gives better interactive response. ... > I really like the reduced scheduler complexity part of your patch BTW. ...
    (Linux-Kernel)
  • Re: office update site/office 2003 sp 1 fails Again Josh Go Here!!!
    ... I also am getting these Cannot Apply Patch errors. ... >Reading the settings... ... >>those two downloads would not install, ... >>The second place you have error information that I'm ...
    (microsoft.public.officeupdate)