Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: IE Web Browser: "Sitting Duck"
From: "joe" <mvp () joeware net>
Date: Sat, 3 Jul 2004 11:56:42 -0400

Couple of things.

1. The conversation you are referring to was a conversation about issues
with core base components that necessitated a complete redesign. You kept
bringing up items that were NOT core base components - they were UI
components. IE being one of them. The very fact that you have a choice to
use a different browser should help you understand that. Try to use a
different ACL system on Windows NT based systems and tell me how that goes. 

2. Re: Cert's bluntness. You post the sixth option of six posted options
like this is the only thing they said. Had they not offered this as one
option it would have been an oversight on their part .


3. I don't know why you find this stunning. You tend to find more press
complaining about MS than other. MS is fun to complain about, easy target.
And, as mentioned previously, being the most popular, good for attracting
attention to your server/newspaper/station when you mention them. I.E. They 
make good news.

  joe 



-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Edge, Ronald D
Sent: Tuesday, June 29, 2004 10:26 AM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] IE Web Browser: "Sitting Duck"

I find it pretty stunning that now even the mainstream corporate online IT
press is jumping down Microsoft's throat over the vulnerabilities and
problems with the Microsoft IE browser.

I recall last week we had a thread in which one poster was defending
Microsoft, and insisting we were just complaining about the "GUI interface",
and ignoring all efforts to focus attention on such facts as pointed out
even in this CNET news.com article:

"IE a sitting duck?"
"But Mozilla claims some inherent security advantages as well. Internet
Explorer is a fat target for attackers, in large part because it supports
powerful, propriety Microsoft technologies that are notoriously weak on
security, like ActiveX."
        
http://news.com.com/IE+flaw+may+boost+rival+browsers/2100-7355_3-5250697
.html?tag=nefd.lede

Even CERT has issued an advisory that is really quite amazing in its
bluntness:
        http://www.kb.cert.org/vuls/id/713878
which was last updated June 25, 2004 in the wake of the download.ject attack
by what appears to have been Russian criminal gangs out of a web site now
shut down in Russia.

"Use a different web browser"
"There are a number of significant vulnerabilities in technologies relating
to the IE domain/zone security model, the DHTML object model, MIME type
determination, and ActiveX. It is possible to reduce exposure to these
vulnerabilities by using a different web browser, especially when browsing
untrusted sites. Such a decision may, however, reduce the functionality of
sites that require IE-specific features such as DHTML, VBScript, and
ActiveX. Note that using a different web browser will not remove IE from a
Windows system, and other programs may invoke IE, the WebBrowser ActiveX
control, or the HTML rendering engine (MSHTML). "

Ron.

Ronald D. Edge
Director of Information Systems
Indiana University Intercollegiate Athletics edge () indiana edu  (812)855-9010
http://iuhoosiers.com http://mainsleazespam.com

Corporate IT's reaction to spyware has been surprising: it's been largely
swept under the rug. The problem is that you can't hide an elephant by
sweeping it under the rug. It leaves quite a bulge.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]