Bugtraq mailing list archives

Re: IE 5.0 allows executing programs

From: dleblanc () MINDSPRING COM (David LeBlanc)
Date: Mon, 23 Aug 1999 10:08:07 -0700


At 07:17 PM 8/21/99 +0300, Georgi Guninski wrote:

Workaround:
Disable Active Scripting
or
Disable Run ActiveX Controls and plug-ins


Actually, the setting that goes right to the heart of this one is "Script
ActiveX Controls Marked Safe For Scripting".  Default for "Internet Zone"
is Enable.  It is probably safest to set it to either disable or prompt.  I
personally would tend to prefer prompt, because it then lets you see who is
trying to do what.  If someone is trying to do rude things to my system, I
generally want to know about it.  Disabling all ActiveX controls is
probably overkill, as the ones that aren't marked safe for scripting can't
be caused to do things remotely.

On some sites, you'll find that you may want this to function, and I'd
consider adding them to the "trusted sites" zone.

David LeBlanc
dleblanc () mindspring com

Current thread:

Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent(), (continued)
- - - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Tymm Twillman (Aug 19)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
    - [RHSA-1999:029-01] Denial of service attack in in.telnetd Bill Nottingham (Aug 19)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Olaf Kirch (Aug 19)
    - Insecure use of file in /tmp by trn Martin Schulze (Aug 19)
    - Winamp SHOUTcast server: Gain Administrator Password Michael (Aug 20)
    - Re: Insecure use of file in /tmp by trn Rogier Wolff (Aug 21)
    - IE 5.0 allows executing programs Georgi Guninski (Aug 21)
    - Re: IE 5.0 allows executing programs David LeBlanc (Aug 23)
    - Re: IE 5.0 allows executing programs Jesper M. Johansson (Aug 28)
    - Vulnerability in Solaris 2.6. rpc.statd ? Bob Todd (Aug 21)
    - Re: Vulnerability in Solaris 2.6. rpc.statd ? Bob Todd (Aug 24)
    - Re: Vulnerability in Solaris 2.6. rpc.statd ? mb (Aug 28)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Martin Schulze (Aug 19)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Aaron Campbell (Aug 19)
    - Microsoft Security Bulletin (MS99-030) Aleph One (Aug 20)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Alan Cox (Aug 22)
    - libtermcap exploit fix ... smashcap.c Hudin Lucian (Aug 22)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Pavel Kankovsky (Aug 26)

(Thread continues...)