| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <40EE979A.25257.490671AD@localhost> From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: How big is the danger of IE? "Larry Seltzer" <larry@...ryseltzer.com> wrote: > >>Outlook and Outlook Express use IE to display HTML mails, which make some of the IE > >>bugs exploitable (I don't know if it's the case for this one). > > In general this isn't true for any remotely recent copy of either program. Both run HTML > mail in the restricted zone which disabled all script, ActiveX and anything else > dangerous I think you missed a rather major aspect of several recent IE vulnerability discussions -- the security zone model itself (well, at least its implementation in IE, etc) _is the problem_ and can often be exploited independent of the scritping, and other active content processing, state of the zone in which some arbitrary piece of HTML is rendered. It is such highly undesirable features of IE and friends, plus the high level of cross-application integration of these fundamentally flawed components, that prompted CERT to take the unprecedented (?) move of writing: http://www.kb.cert.org/vuls/id/713878 ... Use a different web browser There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require IE- specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML). That CERT made such a public stand should have been a serious brown- alert moment for all those corporates who have not taken good, solid, informed security advice from the last two-plus years that they should seriously consider removing MS HTML rendering components (or at least opportunities for those components to do such rendering) from their systems. In short, it seems CERT has joined the ranks of those who feel that hoping MS will properly fix IE is a lost cause, or at least leaves you exposed to generally unacceptable threats too often and for too long. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists