By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
438,216 Members | 1,023 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 438,216 IT Pros & Developers. It's quick & easy.

U.S. Steers Consumers Away From IE

P: n/a
http://story.news.yahoo.com/news?tmp...=/cmp/22103407

OK, for those of you that actually know me...

$regexp='I told (you|them) to (disable ActiveX|(stop using (IE|IIS)))
long ago.';

--
Justin Koivisto - sp**@koivi.com
PHP POSTERS: Please use comp.lang.php for PHP related questions,
alt.php* groups are not recommended.
Jul 17 '05 #1
Share this Question
Share on Google+
25 Replies


P: n/a
Justin Koivisto wrote:
http://story.news.yahoo.com/news?tmp...=/cmp/22103407

from the page: "The only defense may be completely disabling scripting and
ActiveX controls."

Seems to me that bit isn't really new news.

OK, for those of you that actually know me...

$regexp='I told (you|them) to (disable ActiveX|(stop using (IE|IIS)))
long ago.';


.... or die;

--
William Tasso
Jul 17 '05 #2

P: n/a
William Tasso wrote:
Justin Koivisto wrote:
http://story.news.yahoo.com/news?tmp...=/cmp/22103407


from the page: "The only defense may be completely disabling scripting and
ActiveX controls."

Seems to me that bit isn't really new news.


No, not news.... just finally came from someone who has more clout than
I. ;)
OK, for those of you that actually know me...

$regexp='I told (you|them) to (disable ActiveX|(stop using (IE|IIS)))
long ago.';


... or die;


:-D

--
Justin Koivisto - sp**@koivi.com
PHP POSTERS: Please use comp.lang.php for PHP related questions,
alt.php* groups are not recommended.
Jul 17 '05 #3

P: n/a
On Fri, 02 Jul 2004 20:29:11 GMT, Justin Koivisto <sp**@koivi.com> wrote:
http://story.news.yahoo.com/news?tmp...=/cmp/22103407

OK, for those of you that actually know me...

$regexp='I told (you|them) to (disable ActiveX|(stop using (IE|IIS)))
long ago.';


Just proof that the DoHS gets *some* things right. ;) Although you could
argue that taking so long to actually say it counts against them!

Grey

--
The technical axiom that nothing is impossible sinisterly implies the
pitfall corollory that nothing is ridiculous.
- http://www.greywyvern.com - Orca Knowledgebase: Completely CSS styleable
Knowledgebase/FAQ system
Jul 17 '05 #4

P: n/a
Just thought you all should read this part too:

*****************************************

On Friday, however, the security vendor modified the alert to claim that
virtually every browser, from Internet Explorer and Mozilla to Opera and
Netscape -- including browsers for both Windows and the Mac OS -- has
this flaw.

“It's not a code vulnerability,” said Secunia's Kristensen, “but a
design flaw.”

The problem stems from how browsers handle frames. “Some time ago,
browser designers decided that one site needed to be able to manipulate
the content of another, and the functionality was adopted by everyone,”
said Kristensen. But hackers can use this to inject phony content -- say
their own credit card-stealing form -- into a frame of an actual trusted
Web site, such as a user's online bank.

******************************************

Notice the first paragraph - All browsers have this problem.

Full article at this location:
http://www.techweb.com/wire/story/TWB20040702S0007

--
--
sp*********@rrohio.com
(Remove 999 to reply to me)
Jul 17 '05 #5

P: n/a
GreyWyvern wrote:
On Fri, 02 Jul 2004 20:29:11 GMT, Justin Koivisto <sp**@koivi.com> wrote:
http://story.news.yahoo.com/news?tmp...=/cmp/22103407

OK, for those of you that actually know me...

$regexp='I told (you|them) to (disable ActiveX|(stop using (IE|IIS)))
long ago.';

Just proof that the DoHS gets *some* things right. ;) Although you
could argue that taking so long to actually say it counts against them!

Grey


As I have stated here (recently) if you are using IIS you need to have
your head examined... (or shot - a nice .44 should do quite nicely :)
!!). However an esteemed peer had suggested that a lot of Fortune 1000
companies use them without incident... If MS is a fortune 1000 company
with loads of $$$ and still gets slammed regularly - what does that say
to the rest of us. I know of many Fortune 1000 companies that have been
hit despite all of the firewall/AV solutions put into place. The ONLY
way to prevent it is to not use IIS on the front line. - Maybe
internally, but never externally.

Everyone has been spouting ActiveX and other client-side scripting tools
and while these are "great, whiz-bang, neato", most of the content being
delivered by these methods provide very little to "enhance" the content
itself (or in most cases even the experience). The "architects" of most
of these sites never take into account that 50% or more of the viewers
of their "site" do not have access to anything > 56K (and in most rural
areas of the country are lucky to get 26.6K) - thereby just wasting
corporate $$$ on the development of something that most people choose
not to, or give up trying to see...

There is always something to be said for the KISS principle. Keep It
Simple Stupid!!

Michael Austin.
On the Internet long before it was the WWW.
Jul 17 '05 #6

P: n/a
On Fri, 02 Jul 2004 21:15:10 GMT, Leythos <vo**@nowhere.com> wrote:
Just thought you all should read this part too:

*****************************************

On Friday, however, the security vendor modified the alert to claim that
virtually every browser, from Internet Explorer and Mozilla to Opera and
Netscape -- including browsers for both Windows and the Mac OS -- has
this flaw.

“It's not a code vulnerability,” said Secunia's Kristensen, “but a
design flaw.”

The problem stems from how browsers handle frames. “Some time ago,
browser designers decided that one site needed to be able to manipulate
the content of another, and the functionality was adopted by everyone,”
said Kristensen. But hackers can use this to inject phony content -- say
their own credit card-stealing form -- into a frame of an actual trusted
Web site, such as a user's online bank.

******************************************

Notice the first paragraph - All browsers have this problem.

Full article at this location:
http://www.techweb.com/wire/story/TWB20040702S0007


Then follow the link at the bottom.

"Secunia offered up a quick test that users can run to see if their current
browser is vulnerable to this problem."

Following that through a few steps leads to the test.

http://secunia.com/multiple_browsers...rability_test/

Just tried it in Mozilla 1.7. Doesn't do anything.

--
Andy Hassall <an**@andyh.co.uk> / Space: disk usage analysis tool
http://www.andyh.co.uk / http://www.andyhsoftware.co.uk/space
Jul 17 '05 #7

P: n/a
Andy Hassall schrieb:
Just tried it in Mozilla 1.7. Doesn't do anything.


Mozilla 1.7 and Firefox 0.8 are clean. *phew*

The first time I read something about this frame-spoofing problem was
November 1998(!) in the german computer magazine c't.

Regards,
Matthias
Jul 17 '05 #8

P: n/a
William Tasso wrote:
Justin Koivisto wrote:
http://story.news.yahoo.com/news?tmp...=/cmp/22103407


from the page: "The only defense may be completely disabling
scripting and ActiveX controls."

Seems to me that bit isn't really new news.


I have them set to prompt. Can be a pain sometimes. I have been trying to
use Firefox more often.
--
Charles Sweeney
http://CharlesSweeney.com
Jul 17 '05 #9

P: n/a
Michael Austin wrote:
Everyone has been spouting ActiveX and other client-side scripting
tools and while these are "great, whiz-bang, neato", most of the
content being delivered by these methods provide very little to
"enhance" the content itself (or in most cases even the experience).
The "architects" of most of these sites never take into account that
50% or more of the viewers of their "site" do not have access to
anything > 56K (and in most rural areas of the country are lucky to
get 26.6K) - thereby just wasting corporate $$$ on the development of
something that most people choose not to, or give up trying to see...

There is always something to be said for the KISS principle. Keep It
Simple Stupid!!


Hear hear!

--
Charles Sweeney
http://CharlesSweeney.com
Jul 17 '05 #10

P: n/a
In article <u0********************************@4ax.com>,
an**@andyh.co.uk says...
On Fri, 02 Jul 2004 21:15:10 GMT, Leythos <vo**@nowhere.com> wrote:
Just thought you all should read this part too:

*****************************************

On Friday, however, the security vendor modified the alert to claim that
virtually every browser, from Internet Explorer and Mozilla to Opera and
Netscape -- including browsers for both Windows and the Mac OS -- has
this flaw.

“It's not a code vulnerability,” said Secunia's Kristensen, “but a
design flaw.”

The problem stems from how browsers handle frames. “Some time ago,
browser designers decided that one site needed to be able to manipulate
the content of another, and the functionality was adopted by everyone,”
said Kristensen. But hackers can use this to inject phony content -- say
their own credit card-stealing form -- into a frame of an actual trusted
Web site, such as a user's online bank.

******************************************

Notice the first paragraph - All browsers have this problem.

Full article at this location:
http://www.techweb.com/wire/story/TWB20040702S0007


Then follow the link at the bottom.

"Secunia offered up a quick test that users can run to see if their current
browser is vulnerable to this problem."

Following that through a few steps leads to the test.

http://secunia.com/multiple_browsers...rability_test/

Just tried it in Mozilla 1.7. Doesn't do anything.


I just tried it on my IE6 and nothing happened either. the MSDN page was
fine, the second one didn't even launch when I clicked on it.

--
--
sp*********@rrohio.com
(Remove 999 to reply to me)
Jul 17 '05 #11

P: n/a
In article <MP************************@news-server.columbus.rr.com>,
vo**@nowhere.com says...
Then follow the link at the bottom.

"Secunia offered up a quick test that users can run to see if their current
browser is vulnerable to this problem."

Following that through a few steps leads to the test.

http://secunia.com/multiple_browsers...rability_test/

Just tried it in Mozilla 1.7. Doesn't do anything.


I just tried it on my IE6 and nothing happened either. the MSDN page was
fine, the second one didn't even launch when I clicked on it.


To follow my own post, I've always set the "Trusted" zone in IE to
"Medium" and the "Internet" zone to "High" and disabled scripting in
Internet zone.

As a side test, I opened a (trusted) site and the clicked on the link
and still nothing happened - seems that if you run IE in a secure mode
that you don't really have that much of a problem.

--
--
sp*********@rrohio.com
(Remove 999 to reply to me)
Jul 17 '05 #12

P: n/a
Charging up on a white horse Andy Hassall said:
: http://secunia.com/multiple_browsers...rability_test/
:
: Just tried it in Mozilla 1.7. Doesn't do anything.

When I clicked as normal people would it did show the other sites
content under the wrong url.

However I am not normal. I open new links in new windows :p
so it won't work on me LOL.
--
Heidi
Recommended Hosting: http://www.page-zone.com/
Put a.w.w. in subject to email me
Jul 17 '05 #13

P: n/a
Matthias Esken wrote:
Andy Hassall schrieb:
Just tried it in Mozilla 1.7. Doesn't do anything.


Mozilla 1.7 and Firefox 0.8 are clean. *phew*


For me, it did "inject" in both Firefox 0.8 and Konqueror 3.2.3.
Jul 17 '05 #14

P: n/a
In article <i7*******************@newssvr29.news.prodigy.com> ,
ag*@mindless.com says...
Matthias Esken wrote:
Andy Hassall schrieb:
Just tried it in Mozilla 1.7. Doesn't do anything.


Mozilla 1.7 and Firefox 0.8 are clean. *phew*


For me, it did "inject" in both Firefox 0.8 and Konqueror 3.2.3.


As they said, it's about Java Scripting - if you have it enabled then
you are vulnerable. The key, even with IE, is to disable all scripting
(java or ActiveX) in your IE Internet security zone, then set your IE
Trusted Zone to Medium security. No pop-ups, nothing, works like a
champ.

If you get to a site that doesn't work, because you disabled scripting,
and it's a site you really want to trust, then add the site to your IE
Trusted Zone - make sure you keep the Trusted Zone at MEDIUM, it
defaults to LOW.

--
--
sp*********@rrohio.com
(Remove 999 to reply to me)
Jul 17 '05 #15

P: n/a

"GreyWyvern" <sp**@greywyvern.com> wrote in message
news:op**************@news.nas.net...
On Fri, 02 Jul 2004 20:29:11 GMT, Justin Koivisto <sp**@koivi.com> wrote:
http://story.news.yahoo.com/news?tmp...=/cmp/22103407

OK, for those of you that actually know me...

$regexp='I told (you|them) to (disable ActiveX|(stop using (IE|IIS)))
long ago.';


Just proof that the DoHS gets *some* things right. ;) Although you could
argue that taking so long to actually say it counts against them!


Like issuing yet another advisory that no one will follow is going to help.

How about start catching these criminals?

Jul 17 '05 #16

P: n/a
Heidi wrote:
However I am not normal.


That's part of the attraction!

--
Charles Sweeney
http://CharlesSweeney.com
Jul 17 '05 #17

P: n/a
Charging up on a white horse Charles Sweeney said:
: That's part of the attraction!

oh you smooth talker you. :p

Well in being 'not normal' I hate shopping. I just got back
from doing it. I am hot, my feet hurt and I am tired. Thank heaven
I don't have to shop that much for another week...
--
Heidi
Recommended Hosting: http://www.page-zone.com/
Put a.w.w. in subject to email me
Jul 17 '05 #18

P: n/a
Chung Leong wrote:
...
How about start catching these criminals?


Great idea - who's first?

--
William Tasso
Jul 17 '05 #19

P: n/a
Heidi wrote:
Charging up on a white horse Charles Sweeney said:
: That's part of the attraction!

oh you smooth talker you. :p

Well in being 'not normal' I hate shopping. I just got back
from doing it. I am hot, my feet hurt and I am tired. Thank heaven
I don't have to shop that much for another week...


Having just finished convincing Windows on all our machines here that
Firefox is now our default browser on this fine Sunday afternoon ... off
to the gym for 2 hours combat, swim, jacuzzi & steam room :)
--
x theSpaceGirl (miranda)

# lead designer @ http://www.dhnewmedia.com #
# remove NO SPAM to email, or use form on website #
Jul 17 '05 #20

P: n/a
In article <2k************@uni-berlin.de>, NO*************@subhuman.net
says...
Heidi wrote:
Charging up on a white horse Charles Sweeney said:
: That's part of the attraction!

oh you smooth talker you. :p

Well in being 'not normal' I hate shopping. I just got back
from doing it. I am hot, my feet hurt and I am tired. Thank heaven
I don't have to shop that much for another week...


Having just finished convincing Windows on all our machines here that
Firefox is now our default browser on this fine Sunday afternoon ... off
to the gym for 2 hours combat, swim, jacuzzi & steam room :)


Following the directions from MS would have done the same thing and only
taken about 10 minutes:

For those of you that want to secure your Internet Explorer settings to
better protect yourself, follow this link:
http://www.microsoft.com/security/in.../settings.mspx

--
--
sp*********@rrohio.com
(Remove 999 to reply to me)
Jul 17 '05 #21

P: n/a
Leythos wrote:
In article <2k************@uni-berlin.de>, NO*************@subhuman.net
says...
Heidi wrote:
Charging up on a white horse Charles Sweeney said:
: That's part of the attraction!

oh you smooth talker you. :p

Well in being 'not normal' I hate shopping. I just got back
from doing it. I am hot, my feet hurt and I am tired. Thank heaven
I don't have to shop that much for another week...


Having just finished convincing Windows on all our machines here that
Firefox is now our default browser on this fine Sunday afternoon ... off
to the gym for 2 hours combat, swim, jacuzzi & steam room :)

Following the directions from MS would have done the same thing and only
taken about 10 minutes:

For those of you that want to secure your Internet Explorer settings to
better protect yourself, follow this link:
http://www.microsoft.com/security/in.../settings.mspx


Until the next hole appears in IE, yes? Firefox is far more secure and
is likely to remain so, even when IE picks up another hole... on average
about one exploit every 2 weeks. Why even bother trying to patch it.

--
x theSpaceGirl (miranda)

# lead designer @ http://www.dhnewmedia.com #
# remove NO SPAM to email, or use form on website #
Jul 17 '05 #22

P: n/a
Leythos wrote:
As they said, it's about Java Scripting - if you have it enabled then
you are vulnerable. The key, even with IE, is to disable all scripting
(java or ActiveX) in your IE Internet security zone, then set your IE
Trusted Zone to Medium security. No pop-ups, nothing, works like a
champ.
If you are referring to the recent execCommand flaw, then the problem is
ActiveX and the way Internet Explorer specifically fails to enforce the
security boundary between different domains. Check out the CERT description
of the vulnerability: http://www.kb.cert.org/vuls/id/326412

Disabling scripting in IE will render many websites useless or cripple them
in one way or another. Check out this article:
http://www.eweek.com/article2/0,1759,1619961,00.asp
If you get to a site that doesn't work, because you disabled scripting,
and it's a site you really want to trust, then add the site to your IE
Trusted Zone - make sure you keep the Trusted Zone at MEDIUM, it
defaults to LOW.


I don't have the IE handy to test this but wouldn't adding a site to trusted
zone and allowing scripting make that site vulnerable to the same
"injection?"
Jul 17 '05 #23

P: n/a
In article <SC*******************@newssvr29.news.prodigy.com> ,
ag*@mindless.com says...
Disabling scripting in IE will render many websites useless or cripple them
in one way or another. Check out this article:
http://www.eweek.com/article2/0,1759,1619961,00.asp


Yes, the same is true in any browser where you disable scripting.
If you get to a site that doesn't work, because you disabled scripting,
and it's a site you really want to trust, then add the site to your IE
Trusted Zone - make sure you keep the Trusted Zone at MEDIUM, it
defaults to LOW.


I don't have the IE handy to test this but wouldn't adding a site to trusted
zone and allowing scripting make that site vulnerable to the same
"injection?"


If you set the trusted Zone to medium then you have the same base
security that the Internet zone has by default - so, yes, it would be
susceptible - the defining difference is that you only put sites that
you consider as "trusted" in the trusted zone.

--
--
sp*********@rrohio.com
(Remove 999 to reply to me)
Jul 17 '05 #24

P: n/a
Leythos wrote:
In article <SC*******************@newssvr29.news.prodigy.com> ,
ag*@mindless.com says...
Disabling scripting in IE will render many websites useless or cripple
them in one way or another. Check out this article:
http://www.eweek.com/article2/0,1759,1619961,00.asp
Yes, the same is true in any browser where you disable scripting.


OK, first off, this is kind of off topic for this group; but anyway, from
what I am getting, we are talking about 2 different things - so correct me
where I'm wrong.

If you are talking about the secunia link you gave, the "frame injection
vulnerability" described there does not require scripting, only frames - in
fact, secunia website itself doesn't use any scripts to demonstrate the
vulnerability (which is weird because that's how most likely it could be
abused - also left me wondering if it will still work with Javascript).
It's a simple target="framename" link and could be abused that way under
these conditions:

- if a "good" website you are visiting has frames;
- you have a rogue website loaded at the same time; and
- the rogue website knows the name of the frame in the good website and
exactly when it's opened

In this case, the rogue website would be able to load its own content into
what would look like a "good" website frame, possibly a username/password
form, or a credit card payment form, and cause user to submit sensitive
data back to the rogue website.

On the other hand, the vulnerability I was referring to (sorry, wrong older
CERT advisory link in my previous reply -
http://networks.org/?src=cert:713878 is the correct one) is about the
execScript (not execCommand) method in IE combined with ActiveX and HTTP
redirection. This vulnerability potentially has much greater reprocussions
and does not require frames or simultaneously visiting other websites.

The rogue website can use the method described in the report to execute
content that [to IE] would appear to be from the local machine zone - i.e.
you will not be asked or even aware when it loads an arbitrary ActiveX
code. So, an attacker could gain control of machine with the same
privileges as the user using the browser (i.e. administrative rights on
most home systems).

This vulnerability is a combination of IE's security model
(trusted/high/medium/low/local/etc.), scripting
(execScript/showModalDialog), and ActiveX. Other browsers don't implement
IE's security model and ActiveX, and may not even implement showModalDialog
as far as I know. So, this particular vulnerability does not affect other
browsers.

This is how I understand it anyway. Feel free to correct.
If you set the trusted Zone to medium then you have the same base
security that the Internet zone has by default - so, yes, it would be
susceptible - the defining difference is that you only put sites that
you consider as "trusted" in the trusted zone.


OK, I understand - if you'd like to stick with IE, this seems like a
temporary solution until MS releases their fix. It's temporary because it
may break the functionality of the sites that rely on scripting that you'd
like to visit but cannot fully "trust." You don't need to disable scripting
in other browsers because they are not affected by the vulnerability I was
referring to - that's a [temporary] disadvantage to continuing to use IE.
Jul 17 '05 #25

P: n/a
In article <ps*****************@newssvr27.news.prodigy.com> ,
ag*@mindless.com says...
OK, I understand - if you'd like to stick with IE, this seems like a
temporary solution until MS releases their fix.


It's OK, I run FF 0.9.0 also.

--
--
sp*********@rrohio.com
(Remove 999 to reply to me)
Jul 17 '05 #26

This discussion thread is closed

Replies have been disabled for this discussion.