Full Disclosure mailing list archives
RE: How big is the danger of IE?
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 09 Jul 2004 13:03:22 +1200
"Larry Seltzer" <larry () larryseltzer com> wrote:
Outlook and Outlook Express use IE to display HTML mails, which make some of the IE bugs exploitable (I don't know if it's the case for this one).In general this isn't true for any remotely recent copy of either program. Both run HTML mail in the restricted zone which disabled all script, ActiveX and anything else dangerous
I think you missed a rather major aspect of several recent IE vulnerability discussions -- the security zone model itself (well, at least its implementation in IE, etc) _is the problem_ and can often be exploited independent of the scritping, and other active content processing, state of the zone in which some arbitrary piece of HTML is rendered. It is such highly undesirable features of IE and friends, plus the high level of cross-application integration of these fundamentally flawed components, that prompted CERT to take the unprecedented (?) move of writing: http://www.kb.cert.org/vuls/id/713878 ... Use a different web browser There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require IE- specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML). That CERT made such a public stand should have been a serious brown- alert moment for all those corporates who have not taken good, solid, informed security advice from the last two-plus years that they should seriously consider removing MS HTML rendering components (or at least opportunities for those components to do such rendering) from their systems. In short, it seems CERT has joined the ranks of those who feel that hoping MS will properly fix IE is a lost cause, or at least leaves you exposed to generally unacceptable threats too often and for too long. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- How big is the danger of IE? Yaakov Yehudi (Jul 08)
- RE: How big is the danger of IE? Yaakov Yehudi (Jul 08)
- RE: How big is the danger of IE? Sapheriel (Jul 08)
- RE: How big is the danger of IE? Eric Paynter (Jul 08)
- RE: How big is the danger of IE? Sapheriel (Jul 08)
- Re: How big is the danger of IE? nicolas vigier (Jul 08)
- RE: How big is the danger of IE? Larry Seltzer (Jul 08)
- RE: How big is the danger of IE? Eric Paynter (Jul 08)
- RE: How big is the danger of IE? Nick FitzGerald (Jul 08)
- RE: How big is the danger of IE? Larry Seltzer (Jul 08)
- Message not available
- RE: How big is the danger of IE? Nick FitzGerald (Jul 08)
- RE: How big is the danger of IE? Curt Purdy (Jul 11)
- RE: How big is the danger of IE? Eric Paynter (Jul 08)
- RE: How big is the danger of IE? Eric Paynter (Jul 08)
- RE: How big is the danger of IE? joe (Jul 08)
- RE: How big is the danger of IE? Eric Paynter (Jul 08)
- Re: How big is the danger of IE? Valdis . Kletnieks (Jul 09)
- <Possible follow-ups>
- RE: How big is the danger of IE? Randal, Phil (Jul 08)
- RE: How big is the danger of IE? Randal, Phil (Jul 08)