| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: mvp at joeware.net (joe) Subject: How big is the danger of IE? http://www.kb.cert.org/vuls/id/713878 The link above is the advisory that theregister is talking about. I know it is unusual for theregister but they seemed to have missed a hefty part of the whole advisory when reporting it. Here is the specific section: III. Solution Until a complete solution is available, consider the following workarounds. Disable Active scripting and ActiveX Disabling Active scripting and ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability. Disabling Active scripting and ActiveX controls in the Local Machine Zone will prevent widely used payload delivery techniques from functioning. Instructions for disabling Active scripting in the Internet Zone can be found in the CERT/CC Malicious Web Scripts FAQ. See Microsoft Knowledge Base Article 833633 for information about securing the Local Machine Zone. Also, Service Pack 2 for Windows XP (currently in beta release) includes these and other security enhancements for IE. Apply the Outlook Email Security Update Another way to effectively disable Active scripting in Outlook is to install the Outlook Email Security Update. The update configures Outlook to open email messages in the Restricted Sites Zone, where Active scripting is disabled by default. In addition, the update provides further protection against malicious code that attempts to propagate via Outlook. The Outlook Email Security Update is available for Outlook 98 and Outlook 2000. The functionality of the Outlook Email Security Update is included in Outlook 2002 and Outlook Express 6. Outlook 2003 includes these and other security enhancements. Read and send email in plain text format Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured to view email messages in text format. Consider the security of fellow Internet users and send email in plain text format when possible. Note that reading and sending email in plain text will not necessarily prevent exploitation of this vulnerability. Maintain updated anti-virus software Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability. US-CERT maintains a partial list of anti-virus vendors. Do not follow unsolicited links Do not click on unsolicited URLs received in email, instant messages, web forums, or internet relay chat (IRC) channels. While this is generally good security practice, following this behavior will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting. Use a different web browser There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML). -----Original Message----- From: full-disclosure-admin@...ts.netsys.com [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Skander Ben Mansour Sent: Thursday, July 08, 2004 3:59 PM To: 'Yaakov Yehudi'; FULL-DISCLOSURE@...ts.netsys.com Subject: RE: [Full-Disclosure] How big is the danger of IE? <SNIP> CERT recently recommended using a different web browser: http://www.theregister.co.uk/2004/06/28/cert_ditch_explorer/ http://www.us-cert.gov/current/current_activity.html#iis5 "There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML). " I hope this helps. Best Regards, Skander Ben Mansour -----Original Message----- From: full-disclosure-admin@...ts.netsys.com [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Yaakov Yehudi Sent: Thursday, July 08, 2004 7:59 AM To: FULL-DISCLOSURE@...ts.netsys.com Subject: [Full-Disclosure] How big is the danger of IE? I would be interested to hear just how big the danger of IE is. How could it affect the privacy of big business?, or any business for that matter? or what about the Government - could information leak from govenrment employees computers? They do something to stop that right? Bob Palliser __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists