, The Register 2004-06-28
US CERT (the US Computer Emergency Readiness Team), is advising people to ditch Internet Explorer and use a different browser after the latest security vulnerability in the software was exposed.
Expand all |
Post comment
CERT recommends anything but IE
2004-06-28
Anonymous (2 replies)
Anonymous (2 replies)
CERT recommends anything but IE
2004-06-28
Anonymous (3 replies)
Anonymous (3 replies)
CERT recommends anything but IE
2004-06-29
Anonymous (5 replies)
Anonymous (5 replies)
CERT recommends anything but IE
2004-06-29
Anonymous (1 replies)
Anonymous (1 replies)
CERT recommends anything but IE
2004-06-29
Brian McMahon <brian.mcmahon (at) cabrillo (dot) edu [email concealed]>
Brian McMahon <brian.mcmahon (at) cabrillo (dot) edu [email concealed]>
Searching for "internet explorer" at http://www.securityfocus.com/bid/keyword/ brings up the latest list of IE vulns, many of which relate to this "cross-zone" problem, and remain without a solution.
I tried some experiments locally to try to disable IE from silently executing a local file, like c:\winnt\system32\cmd.exe (paste that line into IE's address bar). Following the instructions on http://www.microsoft.com/security/incident/settings.mspx didn't make a difference, nor did setting all security zones to "high" or even manually
disabling or setting all security options to "prompt".
In my view, this is the fundamental problem: As long as IE will execute local content without warning there will be "cross-zone" exploits of this nature. Neither Opera, Mozilla, or Firefox (to name a few) will allow this kind of behavior.
The exploit in this case uses yet another method of tricking IE into thinking that the object its opening is really part of the local computer security zone, and therefore it doesn't need to bother prompting the user.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/articles/8998/27269#27269