lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <9D25EC9CEF02EE449A4D64BFFA413AC8015BD8C3@iu-mssg-mbx05.exchange.iu.edu>
From: edge at indiana.edu (Edge, Ronald D)
Subject: IE Web Browser: "Sitting Duck"

I find it pretty stunning that now even the mainstream corporate online
IT press is jumping down Microsoft's throat over the vulnerabilities and
problems with the Microsoft IE browser.

I recall last week we had a thread in which one poster was defending
Microsoft, and insisting we were just complaining about the "GUI
interface", and ignoring all efforts to focus attention on such facts as
pointed out even in this CNET news.com article:

"IE a sitting duck?"
"But Mozilla claims some inherent security advantages as well. Internet
Explorer is a fat target for attackers, in large part because it
supports powerful, propriety Microsoft technologies that are notoriously
weak on security, like ActiveX."
	
http://news.com.com/IE+flaw+may+boost+rival+browsers/2100-7355_3-5250697
.html?tag=nefd.lede

Even CERT has issued an advisory that is really quite amazing in its
bluntness:
	http://www.kb.cert.org/vuls/id/713878
which was last updated June 25, 2004 in the wake of the download.ject
attack by what appears to have been Russian criminal gangs out of a web
site now shut down in Russia.

"Use a different web browser"
"There are a number of significant vulnerabilities in technologies
relating to the IE domain/zone security model, the DHTML object model,
MIME type determination, and ActiveX. It is possible to reduce exposure
to these vulnerabilities by using a different web browser, especially
when browsing untrusted sites. Such a decision may, however, reduce the
functionality of sites that require IE-specific features such as DHTML,
VBScript, and ActiveX. Note that using a different web browser will not
remove IE from a Windows system, and other programs may invoke IE, the
WebBrowser ActiveX control, or the HTML rendering engine (MSHTML). "

Ron.

Ronald D. Edge
Director of Information Systems
Indiana University Intercollegiate Athletics 
edge@...iana.edu  (812)855-9010 
http://iuhoosiers.com 
http://mainsleazespam.com

Corporate IT's reaction to spyware has been surprising: it's been
largely swept under the rug. The problem is that you can't hide an
elephant by sweeping it under the rug. It leaves quite a bulge.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ