Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

IE Web Browser: "Sitting Duck"

From: "Edge, Ronald D" <edge () indiana edu>
Date: Tue, 29 Jun 2004 09:25:32 -0500
I find it pretty stunning that now even the mainstream corporate online
IT press is jumping down Microsoft's throat over the vulnerabilities and
problems with the Microsoft IE browser.

I recall last week we had a thread in which one poster was defending
Microsoft, and insisting we were just complaining about the "GUI
interface", and ignoring all efforts to focus attention on such facts as
pointed out even in this CNET news.com article:

"IE a sitting duck?"
"But Mozilla claims some inherent security advantages as well. Internet
Explorer is a fat target for attackers, in large part because it
supports powerful, propriety Microsoft technologies that are notoriously
weak on security, like ActiveX."
        
http://news.com.com/IE+flaw+may+boost+rival+browsers/2100-7355_3-5250697
.html?tag=nefd.lede

Even CERT has issued an advisory that is really quite amazing in its
bluntness:
        http://www.kb.cert.org/vuls/id/713878
which was last updated June 25, 2004 in the wake of the download.ject
attack by what appears to have been Russian criminal gangs out of a web
site now shut down in Russia.

"Use a different web browser"
"There are a number of significant vulnerabilities in technologies
relating to the IE domain/zone security model, the DHTML object model,
MIME type determination, and ActiveX. It is possible to reduce exposure
to these vulnerabilities by using a different web browser, especially
when browsing untrusted sites. Such a decision may, however, reduce the
functionality of sites that require IE-specific features such as DHTML,
VBScript, and ActiveX. Note that using a different web browser will not
remove IE from a Windows system, and other programs may invoke IE, the
WebBrowser ActiveX control, or the HTML rendering engine (MSHTML). "

Ron.

Ronald D. Edge
Director of Information Systems
Indiana University Intercollegiate Athletics 
edge () indiana edu  (812)855-9010 
http://iuhoosiers.com 
http://mainsleazespam.com

Corporate IT's reaction to spyware has been surprising: it's been
largely swept under the rug. The problem is that you can't hide an
elephant by sweeping it under the rug. It leaves quite a bulge.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: