Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] IE Web Browser: "Sitting Duck"

from [Edge, Ronald D] Network Security [Permanent Link]
Subject: [Full-Disclosure] IE Web Browser: "Sitting Duck"
Date: Tue, 29 Jun 2004 09:25:32 -0500 
I find it pretty stunning that now even the mainstream corporate online
IT press is jumping down Microsoft's throat over the vulnerabilities and
problems with the Microsoft IE browser.

I recall last week we had a thread in which one poster was defending
Microsoft, and insisting we were just complaining about the "GUI
interface", and ignoring all efforts to focus attention on such facts as
pointed out even in this CNET news.com article:

"IE a sitting duck?"
"But Mozilla claims some inherent security advantages as well. Internet
Explorer is a fat target for attackers, in large part because it
supports powerful, propriety Microsoft technologies that are notoriously
weak on security, like ActiveX."
        
http://news.com.com/IE+flaw+may+boost+rival+browsers/2100-7355_3-5250697
.html?tag=nefd.lede

Even CERT has issued an advisory that is really quite amazing in its
bluntness:
        http://www.kb.cert.org/vuls/id/713878
which was last updated June 25, 2004 in the wake of the download.ject
attack by what appears to have been Russian criminal gangs out of a web
site now shut down in Russia.

"Use a different web browser"
"There are a number of significant vulnerabilities in technologies
relating to the IE domain/zone security model, the DHTML object model,
MIME type determination, and ActiveX. It is possible to reduce exposure
to these vulnerabilities by using a different web browser, especially
when browsing untrusted sites. Such a decision may, however, reduce the
functionality of sites that require IE-specific features such as DHTML,
VBScript, and ActiveX. Note that using a different web browser will not
remove IE from a Windows system, and other programs may invoke IE, the
WebBrowser ActiveX control, or the HTML rendering engine (MSHTML). "

Ron.

Ronald D. Edge
Director of Information Systems
Indiana University Intercollegiate Athletics 
edge@indiana.edu  (812)855-9010 
http://iuhoosiers.com 
http://mainsleazespam.com

Corporate IT's reaction to spyware has been surprising: it's been
largely swept under the rug. The problem is that you can't hide an
elephant by sweeping it under the rug. It leaves quite a bulge.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  SUPER SPOOF DELUXE Re: [Full-Disclosure] Microsoft and Security, http-equiv@excite.com
Next by Date:  RE: [Full-Disclosure] Microsoft and Security, Ron DuFresne
Previous by Thread:  SUPER SPOOF DELUXE Re: [Full-Disclosure] Microsoft and Security, http-equiv@excite.com
Next by Thread:  Re: [Full-Disclosure] IE Web Browser: "Sitting Duck", Georgi Guninski
Indexes:  [Date] [Thread] [Top] [All Lists]