| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3F610DDA.8084.23B1E35@localhost> From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: Keeping IE up to date on a Windows Server "Meeusen, Charles D" <cmeeusen@....gov> asked: > Wondering what other's thoughts are on the maintenance of Internet Explorer > on a Windows (NT4 or W2K) server. Specifically, what about the default IE4 > installed on an NT4 machine? Patch it? Update it to the latest version? > Admins claim they would never websurf on the server but...who knows...? That > promise notwithstanding, does keeping IE up to date make sense for other, > less sociological, reasons? > > My feeling is that maintaining IE addresses core OS componentry as well, > based on something I read but can't recall exactly. Can anyone point me to a > document or provide evidence arguing one way or the other? What you may be remembering is what I usually refer to as "the DoJ defense". To whit, "IE is a core part of the OS". To (help) "prove" that, all manner of Internet-related functionality in other MS products and OS services was made dependent on APIs provided in DLLs that are only legally (under the various relevant EULAs) available as "part of" IE. I'd also not be at all surprised if many such "Internet-related functions" were hastily welded into MS apps and OS components to beef up the plausibility of the claim. Thus, the only way core OS functionality as provided by, say, MSHTML.DLL, can legally (and readily) be kept fully up to date is by ensuring you have one of the more recent releases of IE and that you keep it suitably service-packed and hotfixed. To answer your specific question about IE 4.0 -- it is quite some time since that has been on the officially supported list... Also, note that the up-to-dateness of IE (-supplied sub-components) can be critical to such less-than-obvious issues as keeping your virus scanner up-to-date. Several recent scanner versions have required at least IE 5.01 or 5.5 because their auto-update functions depend on Internet functionality APIs introduced (or at least made usably reliable and stable) in such "recent" versions of IE. So, even if your admins can be trusted to _not_ browse the web from your servers, there are several compelling reasons to keep IE fairly up- to-date on your servers. (And, if you cannot trust your admins to not surf the web from your servers (or don't know), why not limit their access to iexplore.exe and audit all changes to this file, its ACLs, etc? After all, it is little more than a window manager providing displays for the output of the various *ML parsers, "security" and script engines, etc, etc that are implemented in a bunch of DLLs and ActiveX controls and whose use by other processes should be unaffected by the permissions set on the IE executable itself...) -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists