Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: IE is just as safe as FireFox
From: "joe" <mvp () joeware net>
Date: Fri, 19 Nov 2004 10:51:43 -0500

Autoconfig script may enumerate hosts which don't require a proxy. 
Usually there are a very few intranet servers in corporate network.

You should have prefixed "there are very few... " with one of two things 

1. Relative to the internet...

2. In my experience...

I have been on several large corporate networks where there are hundreds or
thousands of intranet web servers hosting tens of thousands of sites. Many
large enterprise class companies are moving whole hog to web based apps
internally (even email) and all available content is on the internal web. 

This is actually the area where IE is so strongly embedded due to its
application interfaces and what MS has been building towards for so long
with it. If you look at this space and compare how firefox renders/operates
next to IE you will see why many companies chose IE as their official
browser even in the face of having more exposure due to security. A lot of
that depends on how the web site is designed/built but there is a lot of
functionality there that can only be reached (and thereby exploited) on IE.
There are companies whose primary LOB applications internally are on IIS
servers and can only be accessed with IE. In those cases it isn't a simple
pick up and replace the browser scenario. 

More, I consider IE feature to ignore proxy for LAN hosts may be 
dangerous. Imagine a worm which spreads by this algorithm: it 
launches HTTP service on victim host, lures user at another PC to 
open URL pointing to victim, then launches on target PC. The fact 
as previosly affected host is situated in Local intranet zone, 
significantly facilitates worm spreading.

I wouldn't really call that a worm. Worms work without interaction. They are
self-propagating/replicating. Malware that spreads that requires user
interaction would generally just be called a virus.

Overall trying to push intranet users accessing intranet content through a
proxy to sanitize web pages would be unsatisfactory because it couldn't
fully be enforced since the content is available right there on the
intranet. Someone could do some form of offline gather or use many different
tools to get the data so forcing firefox or IE to go to a specific proxy
does nothing for you. You would have to put the intranet servers behind some
sort of firewall that you would have to access them though. Plus you
obviously have to scale the proxy to a completely different level if
processing all intranet requests as well as internet requests. 


Let me choose if I even want a browser loaded thanks!

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Raoul
Sent: Friday, November 19, 2004 5:01 AM
To: Esmond; full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] IE is just as safe as FireFox

Hello, Esmond!

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]