[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <8B32EDC90D8F4E4AB40918883281874D273C64@pivxwin2k1.secnet.pivx.com>
Date: Mon, 29 Dec 2003 11:05:35 -0800
From: <tlarholm@...x.com>
To: <1@...ware.com>, <bugtraq@...urityfocus.com>
Cc: <NTBugtraq@...tserv.ntbugtraq.com>
Subject: RE: DANGER ZONE: Internet Explorer
What this all boils down to is that when you add a site to the Trusted
Zone you are giving it additional privileges - this is by design and not
a vulnerability. You can read more about IE Security Settings at
http://www.microsoft.com/windows/ie/using/howto/security/settings.asp
from which we can also read about the Trusted Zone that you should:
"Add a site to this zone only if you trust that it would never cause
harm to your computer."
Giving any site additional executional privileges means that you are
extending your level of trust. You are trusting that the site in
question does not get compromised and have its content replaced with
malicious code, and you are trusting that the site does not have any XSS
errors that would allow harmful code injection into the HTML stream.
There are no sites in the Trusted Zone on a default installation so the
impact is significantly lowered. However, Windows Update is hardcoded to
have additional privileges so if you want to try and practically abuse
the level of trust you would have better luck in trying to find XSS
errors on the Windows Update site or find ways to beat the URL parsing
algorithm that detects whether IE is on the Windows Update site or not.
Regards
Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor@...x.com
949-231-8496
PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
Qwik-Fix
<http://www.qwik-fix.net>
-----Original Message-----
From: http-equiv@...ite.com [mailto:1@...ware.com]
Sent: Friday, December 26, 2003 9:02 AM
To: bugtraq@...urityfocus.com
Cc: NTBugtraq@...tserv.ntbugtraq.com
Subject: DANGER ZONE: Internet Explorer
<snip
http://www.securityfocus.com/archive/1/348363/2003-12-26/2004-01-01/0>
<snip http://tinyurl.com/3eldd>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists