Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: How big is the danger of IE?
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 09 Jul 2004 13:03:22 +1200

"Larry Seltzer" <larry () larryseltzer com> wrote:

Outlook and Outlook Express use IE to display HTML mails, which make some of the IE
bugs exploitable (I don't know if it's the case for this one).

In general this isn't true for any remotely recent copy of either program. Both run HTML
mail in the restricted zone which disabled all script, ActiveX and anything else

I think you missed a rather major aspect of several recent IE 
vulnerability discussions -- the security zone model itself (well, at 
least its implementation in IE, etc) _is the problem_ and can often be 
exploited independent of the scritping, and other active content 
processing, state of the zone in which some arbitrary piece of HTML is 
rendered.  It is such highly undesirable features of IE and friends, 
plus the high level of cross-application integration of these 
fundamentally flawed components, that prompted CERT to take the 
unprecedented (?) move of writing:



   Use a different web browser

   There are a number of significant vulnerabilities in technologies
   relating to the IE domain/zone security model, the DHTML object
   model, MIME type determination, and ActiveX. It is possible to
   reduce exposure to these vulnerabilities by using a different web
   browser, especially when browsing untrusted sites. Such a decision
   may, however, reduce the functionality of sites that require IE-
   specific features such as DHTML, VBScript, and ActiveX. Note that
   using a different web browser will not remove IE from a Windows
   system, and other programs may invoke IE, the WebBrowser ActiveX
   control, or the HTML rendering engine (MSHTML).

That CERT made such a public stand should have been a serious brown-
alert moment for all those corporates who have not taken good, solid, 
informed security advice from the last two-plus years that they should 
seriously consider removing MS HTML rendering components (or at least 
opportunities for those components to do such rendering) from their 

In short, it seems CERT has joined the ranks of those who feel that 
hoping MS will properly fix IE is a lost cause, or at least leaves you 
exposed to generally unacceptable threats too often and for too long.

Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]