[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] How big is the danger of IE?

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: RE: [Full-Disclosure] How big is the danger of IE?
From: Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 09 Jul 2004 13:03:22 +1200

"Larry Seltzer" <larry@xxxxxxxxxxxxxxxx> wrote:

> >>Outlook and Outlook Express use IE to display HTML mails, which make some 
> >>of the IE
> >>bugs exploitable (I don't know if it's the case for this one).
> 
> In general this isn't true for any remotely recent copy of either program. 
> Both run HTML
> mail in the restricted zone which disabled all script, ActiveX and anything 
> else
> dangerous

I think you missed a rather major aspect of several recent IE 
vulnerability discussions -- the security zone model itself (well, at 
least its implementation in IE, etc) _is the problem_ and can often be 
exploited independent of the scritping, and other active content 
processing, state of the zone in which some arbitrary piece of HTML is 
rendered.  It is such highly undesirable features of IE and friends, 
plus the high level of cross-application integration of these 
fundamentally flawed components, that prompted CERT to take the 
unprecedented (?) move of writing:

   http://www.kb.cert.org/vuls/id/713878

   ...

   Use a different web browser

   There are a number of significant vulnerabilities in technologies
   relating to the IE domain/zone security model, the DHTML object
   model, MIME type determination, and ActiveX. It is possible to
   reduce exposure to these vulnerabilities by using a different web
   browser, especially when browsing untrusted sites. Such a decision
   may, however, reduce the functionality of sites that require IE-
   specific features such as DHTML, VBScript, and ActiveX. Note that
   using a different web browser will not remove IE from a Windows
   system, and other programs may invoke IE, the WebBrowser ActiveX
   control, or the HTML rendering engine (MSHTML).

That CERT made such a public stand should have been a serious brown-
alert moment for all those corporates who have not taken good, solid, 
informed security advice from the last two-plus years that they should 
seriously consider removing MS HTML rendering components (or at least 
opportunities for those components to do such rendering) from their 
systems.

In short, it seems CERT has joined the ranks of those who feel that 
hoping MS will properly fix IE is a lost cause, or at least leaves you 
exposed to generally unacceptable threats too often and for too long.

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- RE: [Full-Disclosure] How big is the danger of IE?
  - From: Larry Seltzer
- RE: [Full-Disclosure] How big is the danger of IE?
  - From: Curt Purdy

References:
- Re: [Full-Disclosure] How big is the danger of IE?
  - From: nicolas vigier
- RE: [Full-Disclosure] How big is the danger of IE?
  - From: Larry Seltzer

Prev by Date: Re: [Full-Disclosure] shell:windows command question
Next by Date: Re: [Full-Disclosure] Mozilla Security Advisory 2004-07-08
Previous by thread: RE: [Full-Disclosure] How big is the danger of IE?
Next by thread: RE: [Full-Disclosure] How big is the danger of IE?
Index(es):
- Date
- Thread