[Full-Disclosure] IE Web Browser: "Sitting Duck"
mvp at joeware.net
Sat Jul 3 16:56:42 BST 2004
Couple of things.
1. The conversation you are referring to was a conversation about issues
with core base components that necessitated a complete redesign. You kept
bringing up items that were NOT core base components - they were UI
components. IE being one of them. The very fact that you have a choice to
use a different browser should help you understand that. Try to use a
different ACL system on Windows NT based systems and tell me how that goes.
2. Re: Cert's bluntness. You post the sixth option of six posted options
like this is the only thing they said. Had they not offered this as one
option it would have been an oversight on their part .
3. I don't know why you find this stunning. You tend to find more press
complaining about MS than other. MS is fun to complain about, easy target.
And, as mentioned previously, being the most popular, good for attracting
attention to your server/newspaper/station when you mention them. I.E. They
make good news.
From: full-disclosure-admin at lists.netsys.com
[mailto:full-disclosure-admin at lists.netsys.com] On Behalf Of Edge, Ronald D
Sent: Tuesday, June 29, 2004 10:26 AM
To: full-disclosure at lists.netsys.com
Subject: [Full-Disclosure] IE Web Browser: "Sitting Duck"
I find it pretty stunning that now even the mainstream corporate online IT
press is jumping down Microsoft's throat over the vulnerabilities and
problems with the Microsoft IE browser.
I recall last week we had a thread in which one poster was defending
Microsoft, and insisting we were just complaining about the "GUI interface",
and ignoring all efforts to focus attention on such facts as pointed out
even in this CNET news.com article:
"IE a sitting duck?"
"But Mozilla claims some inherent security advantages as well. Internet
Explorer is a fat target for attackers, in large part because it supports
powerful, propriety Microsoft technologies that are notoriously weak on
security, like ActiveX."
Even CERT has issued an advisory that is really quite amazing in its
which was last updated June 25, 2004 in the wake of the download.ject attack
by what appears to have been Russian criminal gangs out of a web site now
shut down in Russia.
"Use a different web browser"
"There are a number of significant vulnerabilities in technologies relating
to the IE domain/zone security model, the DHTML object model, MIME type
determination, and ActiveX. It is possible to reduce exposure to these
vulnerabilities by using a different web browser, especially when browsing
untrusted sites. Such a decision may, however, reduce the functionality of
sites that require IE-specific features such as DHTML, VBScript, and
ActiveX. Note that using a different web browser will not remove IE from a
Windows system, and other programs may invoke IE, the WebBrowser ActiveX
control, or the HTML rendering engine (MSHTML). "
Ronald D. Edge
Director of Information Systems
Indiana University Intercollegiate Athletics edge at indiana.edu (812)855-9010
Corporate IT's reaction to spyware has been surprising: it's been largely
swept under the rug. The problem is that you can't hide an elephant by
sweeping it under the rug. It leaves quite a bulge.
Full-Disclosure - We believe in it.
Full-Disclosure is hosted and sponsored by Secunia.