Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: How big is the danger of IE?
From: "joe" <mvp () joeware net>
Date: Thu, 8 Jul 2004 17:17:43 -0400


http://www.kb.cert.org/vuls/id/713878

The link above is the advisory that theregister is talking about. I know it
is unusual for theregister but they seemed to have missed a hefty part of
the whole advisory when reporting it.



Here is the specific section:


III. Solution
Until a complete solution is available, consider the following workarounds. 

Disable Active scripting and ActiveX

Disabling Active scripting and ActiveX controls in the Internet Zone (or any
zone used by an attacker) appears to prevent exploitation of this
vulnerability. Disabling Active scripting and ActiveX controls in the Local
Machine Zone will prevent widely used payload delivery techniques from
functioning. Instructions for disabling Active scripting in the Internet
Zone can be found in the CERT/CC Malicious Web Scripts FAQ. See Microsoft
Knowledge Base Article 833633 for information about securing the Local
Machine Zone. Also, Service Pack 2 for Windows XP (currently in beta
release) includes these and other security enhancements for IE.

Apply the Outlook Email Security Update

Another way to effectively disable Active scripting in Outlook is to install
the Outlook Email Security Update. The update configures Outlook to open
email messages in the Restricted Sites Zone, where Active scripting is
disabled by default. In addition, the update provides further protection
against malicious code that attempts to propagate via Outlook. The Outlook
Email Security Update is available for Outlook 98 and Outlook 2000. The
functionality of the Outlook Email Security Update is included in Outlook
2002 and Outlook Express 6. Outlook 2003 includes these and other security
enhancements.

Read and send email in plain text format

Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured to view
email messages in text format. Consider the security of fellow Internet
users and send email in plain text format when possible. Note that reading
and sending email in plain text will not necessarily prevent exploitation of
this vulnerability.

Maintain updated anti-virus software

Anti-virus software with updated virus definitions may identify and prevent
some exploit attempts. Variations of exploits or attack vectors may not be
detected. Do not rely solely on anti-virus software to defend against this
vulnerability. US-CERT maintains a partial list of anti-virus vendors.

Do not follow unsolicited links

Do not click on unsolicited URLs received in email, instant messages, web
forums, or internet relay chat (IRC) channels. While this is generally good
security practice, following this behavior will not prevent exploitation of
this vulnerability in all cases, particularly if a trusted site has been
compromised or allows cross-site scripting.

Use a different web browser 

There are a number of significant vulnerabilities in technologies relating
to the IE domain/zone security model, the DHTML object model, MIME type
determination, and ActiveX. It is possible to reduce exposure to these
vulnerabilities by using a different web browser, especially when browsing
untrusted sites. Such a decision may, however, reduce the functionality of
sites that require IE-specific features such as DHTML, VBScript, and
ActiveX. Note that using a different web browser will not remove IE from a
Windows system, and other programs may invoke IE, the WebBrowser ActiveX
control, or the HTML rendering engine (MSHTML). 



 

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Skander Ben
Mansour
Sent: Thursday, July 08, 2004 3:59 PM
To: 'Yaakov Yehudi'; FULL-DISCLOSURE () lists netsys com
Subject: RE: [Full-disclosure] How big is the danger of IE?

<SNIP>

CERT recently recommended using a different web browser:
http://www.theregister.co.uk/2004/06/28/cert_ditch_explorer/
http://www.us-cert.gov/current/current_activity.html#iis5
"There are a number of significant vulnerabilities in technologies relating
to the IE domain/zone security model, the DHTML object model, MIME type
determination, and ActiveX. It is possible to reduce exposure to these
vulnerabilities by using a different web browser, especially when browsing
untrusted sites. Such a decision may, however, reduce the functionality of
sites that require IE-specific features such as DHTML, VBScript, and
ActiveX. Note that using a different web browser will not remove IE from a
Windows system, and other programs may invoke IE, the WebBrowser ActiveX
control, or the HTML rendering engine (MSHTML). "

I hope this helps.

Best Regards,

Skander Ben Mansour



-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Yaakov Yehudi
Sent: Thursday, July 08, 2004 7:59 AM
To: FULL-DISCLOSURE () lists netsys com
Subject: [Full-disclosure] How big is the danger of IE?


I would be interested to hear just how big the danger of IE is.  
How could it affect the privacy of big business?, or any business for that
matter?  

or what about the Government - could information leak from govenrment
employees computers?  They do something to stop that right?

Bob Palliser


                
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]