lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 12 Jul 2004 02:17:28 -0000
From: <bugtraq223344@...linator.com>
To: bugtraq@...urityfocus.com
Subject: Re: Can we prevent IE exploits a priori?




> So I wanted to know, has anyone tried these programs successfully? 
> Can anyone validate their claims? 
> Better yet, does anyone have a link to a "how to" doc, that tells smart
> geeks how to make the registry changes ourselves, so we don't have to rely
> on some program to do it for us? 

How about this: a sandbox that you can run IE in, controling things like:
-ShellExecute() calls such that only selected programs can be started
 by IE, say Notepad, Real Player, but not the MS-Help tool?
-truly prevents Java Script from running (IE had bugs in the past that
  allowed running javascript-code even if it was turned of)
-Only allow selected activeX controls to load (acrobat reader etc.)
-Deny TCP connections to certain sites 
etc. etc.

 http://www.heise.de/ct/ftp/projekte/iecontroller/

This software is free, sourcecode available (though not GPL!), but unfortunately
the documentation is in German. It was build by one of the German 
computer magazines (c't). If anybody is truly bored and speaks German,
a GPLed version of this would be incredibly useful. I also think that can do more than some registry hacks.

-Markus

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ