mailing list archives
RE: How big is the danger of IE?
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 09 Jul 2004 13:03:22 +1200
"Larry Seltzer" <larry () larryseltzer com> wrote:
Outlook and Outlook Express use IE to display HTML mails, which make some of the IE
bugs exploitable (I don't know if it's the case for this one).
In general this isn't true for any remotely recent copy of either program. Both run HTML
mail in the restricted zone which disabled all script, ActiveX and anything else
I think you missed a rather major aspect of several recent IE
vulnerability discussions -- the security zone model itself (well, at
least its implementation in IE, etc) _is the problem_ and can often be
exploited independent of the scritping, and other active content
processing, state of the zone in which some arbitrary piece of HTML is
rendered. It is such highly undesirable features of IE and friends,
plus the high level of cross-application integration of these
fundamentally flawed components, that prompted CERT to take the
unprecedented (?) move of writing:
Use a different web browser
There are a number of significant vulnerabilities in technologies
relating to the IE domain/zone security model, the DHTML object
model, MIME type determination, and ActiveX. It is possible to
reduce exposure to these vulnerabilities by using a different web
browser, especially when browsing untrusted sites. Such a decision
may, however, reduce the functionality of sites that require IE-
specific features such as DHTML, VBScript, and ActiveX. Note that
using a different web browser will not remove IE from a Windows
system, and other programs may invoke IE, the WebBrowser ActiveX
control, or the HTML rendering engine (MSHTML).
That CERT made such a public stand should have been a serious brown-
alert moment for all those corporates who have not taken good, solid,
informed security advice from the last two-plus years that they should
seriously consider removing MS HTML rendering components (or at least
opportunities for those components to do such rendering) from their
In short, it seems CERT has joined the ranks of those who feel that
hoping MS will properly fix IE is a lost cause, or at least leaves you
exposed to generally unacceptable threats too often and for too long.
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Full-Disclosure - We believe in it.
RE: How big is the danger of IE? Skander Ben Mansour (Jul 09)