IE Trusted Domain Default Settings Facilitate Silent Installation of Exe
From: Greg Kujawa (anonymous_at_discussions.microsoft.com)
Date: 12/30/03
- Previous message: Adam Leinss: "Re: Securing XP from teenager"
- In reply to: Mike Larson: "IE Trusted Domain Default Settings Facilitate Silent Installation of Exe"
- Next in thread: Mike Larson: "IE Trusted Domain Default Settings Facilitate Silent Installation of Exe"
- Reply: Mike Larson: "IE Trusted Domain Default Settings Facilitate Silent Installation of Exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Dec 2003 08:55:26 -0800
Have you tested this out yourself? Back when Secunia
announced the four cross-site/active scripting flaws a
month or so ago I disabled Active Scripting for all zones.
This isn't done by selecting, Low, Medium-Low, Medium-
High, or High security levels. It's done by defining a
Custom Security level that disabled Active Scripting
altogether.
I know for a fact that disabling Active Scripting
invalidates what your Security Tracker bulletin is
asserting. Whenever I click on an URL in Outlook the IE
window won't populate with the destination web site. Taken
a step further, when I click on any URL on a web site that
performs any type of executable scripting that control is
totally nullified. It does nothing.
That being said, there are certain cases where you want
Active Scripting enabled so that intended content can
function. In that case rather than selecting the Disable
radio button, select the Prompt radio button in the Custom
security settings. That way the user is presented with an
option to run the scripting. Perhaps enable this only for
Trusted Sites that are manually added to the list and this
would be a decent workaround.
Don't think that I'm making excuses for Microsoft's poor
HTML security model. I certainly am not. But since they
haven't patched any of the recently announced exploits
there should be some pursuit of getting holes patched.
Personally my preferred patch will soon be installing
Mozilla!
>-----Original Message-----
>"This may be achieved with the Internet Explorer series
of so-
>called "browsers", all security settings set to HIGH !"
>
>>-----Original Message-----
>>This might sound saracastic but it isn't intended to be.
>>In order to address this wouldn't you just enter the
>>Trusted zone in the settings and adjust the default
>>settings to be stricter (or even custom)?
>>
>>I agree by default IE should install with stricter
>>security settings for Intranet, Internet, Restricted,
and
>>Trusted zones. Similar to how Windows XP shipped with
lax
>>default security settings in many areas.
>>
>>But a fix for this is simply publishing suggested
settings
>>and providing navigational details to where you can
change
>>these settings. Right?
>>
>>>-----Original Message-----
>>>An exploit method was reported in Microsoft Internet
>>>Explorer, illustrating IE's weak default settings for
the
>>>'Trusted Site' security zone. A remote user can create
>>HTML
>>>that will cause an arbitrary executable to be silently
>>>downloaded to and installed on a target user's system.
>>>
>>>http://www.securitytracker.com/alerts/2003/Dec/1008558.h
tm
>>l
>>>
>>>I hope this is addressed very quickly.
>>>.
>>>
>>.
>>
>.
>
- Previous message: Adam Leinss: "Re: Securing XP from teenager"
- In reply to: Mike Larson: "IE Trusted Domain Default Settings Facilitate Silent Installation of Exe"
- Next in thread: Mike Larson: "IE Trusted Domain Default Settings Facilitate Silent Installation of Exe"
- Reply: Mike Larson: "IE Trusted Domain Default Settings Facilitate Silent Installation of Exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
