[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <40CF469F.2881.84BBDAF6@localhost>
Date: Tue, 15 Jun 2004 18:57:35 +1200
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: bugtraq@...urityfocus.com
Subject: Re: MS web designers -- "What Security Initiative?"
Greg Kujawa <greg.kujawa@...mondcellar.com> wrote:
<<snip>>
> Here's my question. Everyone please feel free to point out its validity
> as necessary. Why not add www.microsoft.com to your Trusted Sites list
You'd trust them after all that history?
Aside from the very shoddy security history (which shows little real
indication of changing, no matter how many column inches the MS
publicity steam-roller manages to drum up to the contrary), MS is a
"big target" so microsoft.com is more likely to be targeted for attack.
> and allow this Internet Zone to have Active Scripting function as
> prompted? Are there cross-site exploits present that even make this a
> poor solution? This is the interim solution I have in place at my
> business locations. ...
Given IE's history, I'd probably be more worried about _cross ZONE_
security flaws than cross site ones (not that the latter aren't
potentially significant). In fact, cross zone vulns are among the
those MS is slowest to fix and most likely to be only partially fixed,
with trivial exploit variants surfacing after the first patch. Such
attacks _are_ widely used, as many, many weeks of ms-its: protocol
abuse by spammers and adware peddlers recently showed (of course, they
continue with such abuse because there are tons of still-vulnerable
because they have not patched users, but that's not you).
Because the security zone model is so fundamentally broken (arguably
broken by design given its vulnerability history), I am quite reluctant
to give any domain raised privileges by adding it to that zone (and, in
my admittedly self-preservationally paranoid IE configuration, those
"raised" privileges are not even equivalent to the way too liberal
default "Internet zone" settings).
> ... We have to use Internet Explorer for work-related
> application requirements. ...
Utter rubbish!
Anyone who says "we have to use IE because..." is then simply mouthing
some other vendor's security ignorance which boils down to either or
both of:
we [the other vendor] are lazy scumbags who can't be bothered to
learn how to write our programs well
and:
we [the other vendor] don't give a sh*t about our clients' system
security because we are so arrogant as to require our clients to use
products no-one with any security smarts would wish on their worst
enemies
It's not quite exactly the same, but can anyone really see any
fundamental practical difference between the situation:
Supplier X requires us to run Security-bug_Ridden_Web_Browser Y (aka
IE)
and the first "immutable security law":
If a bad guy can persuade you to run his program on your computer
it's not your computer anymore
???
To paraphrase the security law to match this specific situation:
If a supplier can persuade you to run Security-bug_Ridden_Web_
Browser Y on your computer, it's not your computer anymore
Now do you understand?
If a web browser is just a data neutral information display device
(which is what it is supposed to be), it is no-one's business but your
own which browser you choose to use for whatever reason[s]. If you
have suppliers that do not understand that, get better suppliers -- in
the long run you will be helping your current suppliers as well as
yourself...
> ... Otherwise I wouldn't switched to something
> like Mozilla.
I presume you mean "would have"...
> In lieu of Microsoft patching the latest round of Secunia announced
> security holes I am disabling Active Scripting for all Internet Zones
> but the Trusted Sites Zone. If this isn't the best alternative what is
> if we *have* to use MSIE?
>
> Anyone??
Won't help you a scrap. At least one of those vulns is a very nasty
cross zone flaw, whereby the zone-checking part of IE (yet again) is
trivially tricked into seeing a URI as belonging in a more trusted zone
than the "effective URI" (i.e. the one that is actually acted on by the
content parsers, script engines, ActiveX, etc) should be seen to be in.
Recipe for trouble, especially if you add microsoft.com to the TS zone
as it's a good bet that the scumware vendors may well start trying to
abuse this latest vuln by assuming that many folk are probably dim
enough to entrust microsoft.com to the TS zone -- attempted exploits
based on that assumption will outright fail on a huge proportion of
potential victim machines, but likely work on enough to make attempting
it worthwhile (like spam, such folk live quite well off _triflingly
low_ hit rates).
Regards,
Nick FitzGerald
Powered by blists - more mailing lists