| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: mvp at joeware.net (joe) Subject: IE Web Browser: "Sitting Duck" Couple of things. 1. The conversation you are referring to was a conversation about issues with core base components that necessitated a complete redesign. You kept bringing up items that were NOT core base components - they were UI components. IE being one of them. The very fact that you have a choice to use a different browser should help you understand that. Try to use a different ACL system on Windows NT based systems and tell me how that goes. 2. Re: Cert's bluntness. You post the sixth option of six posted options like this is the only thing they said. Had they not offered this as one option it would have been an oversight on their part . 3. I don't know why you find this stunning. You tend to find more press complaining about MS than other. MS is fun to complain about, easy target. And, as mentioned previously, being the most popular, good for attracting attention to your server/newspaper/station when you mention them. I.E. They make good news. joe -----Original Message----- From: full-disclosure-admin@...ts.netsys.com [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Edge, Ronald D Sent: Tuesday, June 29, 2004 10:26 AM To: full-disclosure@...ts.netsys.com Subject: [Full-Disclosure] IE Web Browser: "Sitting Duck" I find it pretty stunning that now even the mainstream corporate online IT press is jumping down Microsoft's throat over the vulnerabilities and problems with the Microsoft IE browser. I recall last week we had a thread in which one poster was defending Microsoft, and insisting we were just complaining about the "GUI interface", and ignoring all efforts to focus attention on such facts as pointed out even in this CNET news.com article: "IE a sitting duck?" "But Mozilla claims some inherent security advantages as well. Internet Explorer is a fat target for attackers, in large part because it supports powerful, propriety Microsoft technologies that are notoriously weak on security, like ActiveX." http://news.com.com/IE+flaw+may+boost+rival+browsers/2100-7355_3-5250697 .html?tag=nefd.lede Even CERT has issued an advisory that is really quite amazing in its bluntness: http://www.kb.cert.org/vuls/id/713878 which was last updated June 25, 2004 in the wake of the download.ject attack by what appears to have been Russian criminal gangs out of a web site now shut down in Russia. "Use a different web browser" "There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML). " Ron. Ronald D. Edge Director of Information Systems Indiana University Intercollegiate Athletics edge@...iana.edu (812)855-9010 http://iuhoosiers.com http://mainsleazespam.com Corporate IT's reaction to spyware has been surprising: it's been largely swept under the rug. The problem is that you can't hide an elephant by sweeping it under the rug. It leaves quite a bulge. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists