lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200407031601.i63G1Oj07231@pop-2.dnv.wideopenwest.com>
From: mvp at joeware.net (joe)
Subject: IE Web Browser: "Sitting Duck"

Couple of things.

1. The conversation you are referring to was a conversation about issues
with core base components that necessitated a complete redesign. You kept
bringing up items that were NOT core base components - they were UI
components. IE being one of them. The very fact that you have a choice to
use a different browser should help you understand that. Try to use a
different ACL system on Windows NT based systems and tell me how that goes. 

2. Re: Cert's bluntness. You post the sixth option of six posted options
like this is the only thing they said. Had they not offered this as one
option it would have been an oversight on their part .


3. I don't know why you find this stunning. You tend to find more press
complaining about MS than other. MS is fun to complain about, easy target.
And, as mentioned previously, being the most popular, good for attracting
attention to your server/newspaper/station when you mention them. I.E. They 
make good news.

  joe 



-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Edge, Ronald D
Sent: Tuesday, June 29, 2004 10:26 AM
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] IE Web Browser: "Sitting Duck"

I find it pretty stunning that now even the mainstream corporate online IT
press is jumping down Microsoft's throat over the vulnerabilities and
problems with the Microsoft IE browser.

I recall last week we had a thread in which one poster was defending
Microsoft, and insisting we were just complaining about the "GUI interface",
and ignoring all efforts to focus attention on such facts as pointed out
even in this CNET news.com article:

"IE a sitting duck?"
"But Mozilla claims some inherent security advantages as well. Internet
Explorer is a fat target for attackers, in large part because it supports
powerful, propriety Microsoft technologies that are notoriously weak on
security, like ActiveX."
	
http://news.com.com/IE+flaw+may+boost+rival+browsers/2100-7355_3-5250697
.html?tag=nefd.lede

Even CERT has issued an advisory that is really quite amazing in its
bluntness:
	http://www.kb.cert.org/vuls/id/713878
which was last updated June 25, 2004 in the wake of the download.ject attack
by what appears to have been Russian criminal gangs out of a web site now
shut down in Russia.

"Use a different web browser"
"There are a number of significant vulnerabilities in technologies relating
to the IE domain/zone security model, the DHTML object model, MIME type
determination, and ActiveX. It is possible to reduce exposure to these
vulnerabilities by using a different web browser, especially when browsing
untrusted sites. Such a decision may, however, reduce the functionality of
sites that require IE-specific features such as DHTML, VBScript, and
ActiveX. Note that using a different web browser will not remove IE from a
Windows system, and other programs may invoke IE, the WebBrowser ActiveX
control, or the HTML rendering engine (MSHTML). "

Ron.

Ronald D. Edge
Director of Information Systems
Indiana University Intercollegiate Athletics edge@...iana.edu  (812)855-9010
http://iuhoosiers.com http://mainsleazespam.com

Corporate IT's reaction to spyware has been surprising: it's been largely
swept under the rug. The problem is that you can't hide an elephant by
sweeping it under the rug. It leaves quite a bulge.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ