Re: Keeping IE up to date on a Windows Server

[Nick FitzGerald <nick () virus-l demon co uk>]

"Meeusen, Charles D" <cmeeusen () bnl gov> asked:

> Wondering what other's thoughts are on the maintenance of Internet Explorer
> on a Windows (NT4 or W2K) server. Specifically, what about the default IE4
> installed on an NT4 machine? Patch it? Update it to the latest version?
> Admins claim they would never websurf on the server but...who knows...? That
> promise notwithstanding, does keeping IE up to date make sense for other,
> less sociological, reasons?
>
> My feeling is that maintaining IE addresses core OS componentry as well,
> based on something I read but can't recall exactly. Can anyone point me to a
> document or provide evidence arguing one way or the other?

What you may be remembering is what I usually refer to as "the DoJ 
defense".

To whit, "IE is a core part of the OS".

To (help) "prove" that, all manner of Internet-related functionality in 
other MS products and OS services was made dependent on APIs provided 
in DLLs that are only legally (under the various relevant EULAs) 
available as "part of" IE.  I'd also not be at all surprised if many 
such "Internet-related functions" were hastily welded into MS apps and 
OS components to beef up the plausibility of the claim.

Thus, the only way core OS functionality as provided by, say, 
MSHTML.DLL, can legally (and readily) be kept fully up to date is by 
ensuring you have one of the more recent releases of IE and that you 
keep it suitably service-packed and hotfixed.

To answer your specific question about IE 4.0 -- it is quite some time 
since that has been on the officially supported list...

Also, note that the up-to-dateness of IE (-supplied sub-components) can 
be critical to such less-than-obvious issues as keeping your virus 
scanner up-to-date.  Several recent scanner versions have required at 
least IE 5.01 or 5.5 because their auto-update functions depend on 
Internet functionality APIs introduced (or at least made usably 
reliable and stable) in such "recent" versions of IE.

So, even if your admins can be trusted to _not_ browse the web from 
your servers, there are several compelling reasons to keep IE fairly up-
to-date on your servers.

(And, if you cannot trust your admins to not surf the web from your 
servers (or don't know), why not limit their access to iexplore.exe and 
audit all changes to this file, its ACLs, etc?  After all, it is little 
more than a window manager providing displays for the output of the 
various *ML parsers, "security" and script engines, etc, etc that are 
implemented in a bunch of DLLs and ActiveX controls and whose use by 
other processes should be unaffected by the permissions set on the IE 
executable itself...)


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html