[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] windowsupdate

To: <full-disclosure@lists.netsys.com>
Subject: RE: [Full-Disclosure] windowsupdate
From: "Drew Copley" <dcopley@eeye.com>
Date: Thu, 21 Aug 2003 11:21:26 -0700



> -----Original Message-----
> From: full-disclosure-admin@lists.netsys.com 
> [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of *Hobbit*
> Sent: Wednesday, August 20, 2003 4:08 PM
> To: full-disclosure@lists.netsys.com
> Subject: [Full-Disclosure] windowsupdate
> 
> 
> [Observation stolen from nanog.]
> 
>    Windows Update uses ActiveX Controls and active scripting 
> to display
>    content correctly and to determine which updates apply to 
> your computer.
> 
>    To view and download updates for your computer, your 
> Internet Explorer
>    security settings must meet the following requirements:
>      * Security must be set to medium or lower
>      * Active scripting must be set to enabled
>      * The download and initialization of ActiveX Controls 
> must be set to
>        enabled
> 
> What the hell are you people thinking?!

They did screw up. Their design is flawed, but they have a good base
there to fix it, if they ever decide to.

The primary security model of Internet Explorer is shown in the Windows
2003 version. Activex is disabled. File downloading is disabled.
Javescript and Visual Basic Script is disabled. Input forms is disabled.

All of this is disabled on the Internet Zone. 

Windows update is placed in the Trusted Zone.

The problem is they ask you to place every site you want to download a
file from or run activex - or do any of this stuff - in the Trusted
Zone.

>From a corporate standpoint where users may be prevented from doing
these things... This may be "good". Users will be prevented from doing
just about anything. But, IE had this capability all along, anyway. 

>From a regular user standpoint, this means that users will be going into
their archaic settings and changing these settings to fit their own
dislikes and likes. As these settings are poorly done - poorly designed,
that is - users are very likely to enable "features" such as "always run
untrusted activex" or something else which every spyware popup on the
planet would drool over.

There are other issues which have been brought up... XSS on trusted
sites now invades the full security model of IE (though, it might be
noted trusted is not what it used to be, I think, regardless trusted
does not mean system access)... Etc, etc.

Lastly, why is this concern just given to Windows 2003? That is an
expensive upgrade. According to the latest stats, this is 95% of the
browsing public we are talking about here. Microsoft has an obligation
to the public. The days of playing Machiavelli (or is that Darth
Sidious?)should be over.

And, do not think this much touted security feature of Windows 2003 is
something which is expensive or out of this world. From what I can tell,
it is just a bit more of a settings manager - an awkward one at that. 


> 
> _H*
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] windowsupdate
  - From: hobbit@avian.org (*Hobbit*)

Prev by Date: Re: [Full-Disclosure] JAP back doored
Next by Date: Re: [Full-Disclosure] JAP back doored
Prev by thread: RE: [Full-Disclosure] windowsupdate
Next by thread: [Full-Disclosure] Re: EEYE: Internet Explorer Object Data Remote Execution Vulnerability
Index(es):
- Date
- Thread