IE Vulnerability Flagged

@fredmvApr 10.2004

~~[quote]~~

~~[i]~~From ~~[url]~~http://www.internetnews.com/dev-news/article.php/3338461[/url][/i]
~~[b]~~The U.S. Computer Emergency Readiness Team (CERT) has published ~~[color=red]~~a security flaw that has no complete workaround, leaving PCs at risk even if protective steps are taken[/color].

The vulnerability lets attackers trick the InfoTech Storage (ITS) protocol handlers in Microsoft’s Internet Explorer (IE) to grab scripts from another domain (server) and ~~[color=red]~~gain the same privileges as those found in the victim’s Local Machine Zone[/color].

If that CHM file was crafted by a cracker (define), it can contain scripts that can be executed from that other domain, ~~[color=red]~~violating the cross-domain security model[/color]. ~~[color=red]~~Using a specially crafted URL, CERT says attackers can access other Web sites and run those scripts, which can grab credit card numbers or crash a network[/color].[/b]

[/quote]

to post a comment

Full-stack Developer

40 Comments(s) _↴

@DaveSWApr 10.2004 — #Is this part of your ongoing switch to [URL=http://www.mozilla.org]mozilla[/URL] campaign? :p

@DaveSWApr 10.2004 — #Hey - version 1.7 beta is out! Complete with CSS3's opacity support!

@steelersfan88Apr 10.2004 — #thats what a firewall is for fred ?

yes Dave, that appears to be it, but I'll never switch ?

@Khalid_AliApr 10.2004 — #I seriously can not understand that why people would stil stick to IE,day in day out there are problems mentioned on the security websites in relation to IE and people would still stick to it rather just switch to a better browser in every aspect(Mozilla based any browser).

By the way steeler if some one uses your browsers security falw as in this case then your firewall will not be able to do anything since its already programed to allow IE to work....

@steelersfan88Apr 10.2004 — #you would think so Khalid, but I configured my firewall to watch close attention to every script running, therefore any flaw is covered up. The only scripts I allow is between my local network and my own programs which can change files on my computer, but other programs are monitored completely.

Each time I load my computer, I check to make sure the option of checking browser activity is enabled. The firewall runs its own hidden window while the browser runs, which captures and reviews all the scripts running, then runs them if safe, asks me if dangerous, or blocks them if malicious.

@Khalid_AliApr 10.2004 — #thats neat..that you have somethig watching at low level on IE...

I use mozilla nd don't have to watch what the heck is my browser doing..?

@steelersfan88Apr 10.2004 — #its not just IE that its looks after, it looks after all my programs, even local ones and Mozilla. I have actually received more problems from Mozilla than IE by quite a few. All of my programs are secured this way, and it tells me of these scripts, unless I take action detected in the main Windows loop, to transfer data between my network.

Also, my firewall does not look at low level, I have it at tight most of the time, and have used breakdown before I came here. Now that I come here, you guys are making me feel more secure, since I don't believe a word I here :rolleyes:. This is a protection my business has taken and has encouraged all of its employe[b]r[/b]s (myself) to take to prevent file damage at home workstations ?

@ray326Apr 10.2004 — #Also, my firewall does not look at low level, I have it at tight most of the time, and have used breakdown before I came here.[/QUOTE]
Sorry I'm having trouble parsing that sentence but I'm interested in your firewalling technique. Is this your own home grown firewall or is it one of commonly used ones? It sounds like it inspects the protocol stream content which is very sophisticated but can be quite a performance hit.

@steelersfan88Apr 10.2004 — #it is a popular firewallthat is personally configured. There are quite a few options that you choose that makes it secure everything you need, and [a big] part of it is Internet scripting. The sentence simply states that my Internet connection is under a tight firewall setting, so any suspicious scripts forewarn me. I can then review the script, and make a choice to stop (recommended) or allow the script. Any malicious script is auto-blocked (as set in the many options). There are domain transferring scripts sections which have appeared earlier this year which prevent the running of network scripts over separate domains.

I really could not tell you how it works, since I really don't understand how it does its job, but it sure is a great way to keep me safe. It does take a small hit into performance, but I receive great connections, so even with my firewall slowing down scripting, i still get an extremely fast connection, I've reached over 4 Mbps at some sites ?

@JonaApr 10.2004 — #[i]Originally posted by DaveSW [/i]

[B]Hey - version 1.7 beta is out! Complete with CSS3's opacity support! [/B][/QUOTE]

[font=arial]You mean the Mozilla Mozilla browser, or the Mozilla Firefox one? :p Because both support opacity at their current releases, that I'm aware of.[/font]

@fredmvauthorApr 10.2004 — #I don't quite see why anyone would prefer using an insecure, non-standard, slow, feature-lacking, buggy, or otherwise unstable product — but if you truly enjoy these things, by all means use it. It's merely your loss.

About the addition of support for the CSS3 [font=courier]opacity[/font] property: it was supported previously but along with a vendor-specific prefix (i.e., [font=courier]-moz-[/font]). Now you can use it with simply [font=courier]opacity[/font].

@JonaApr 10.2004 — #[i]Originally posted by fredmv [/i]

[B]About the addition of support for the CSS3 [font=courier]opacity[/font] property: it was supported previously but along with a vendor-specific prefix (i.e., [font=courier]-moz-[/font]). Now you can use it with simply [font=courier]opacity[/font]. [/B][/QUOTE]

[font=arial]Heh, that's a good thing? Now I have to write twice the code for compatibility between [b]versions[/b] of the Mozilla browser! (See [url=http://cmm.rgabbard.com/]CMM v2.0[/url] and you'll know what I mean.)[/font]

@Khalid_AliApr 10.2004 — #[i]Originally posted by steelersfan88 [/i]

Also, my firewall does not look at low level, [/B][/QUOTE]

LOL

all fire wall programs do work at low level..otherwise there is no use ...?

@steelersfan88Apr 10.2004 — #thats why i previously posted i have hundreds of options to customize my level. Its a custom level, marked at tight for what I gave it the options to do. My low level, a trusting level, lacks security of most malicious scripts, and forces a prompt, rather than a direct script failure. This is a customized firewall ?

@ray326Apr 11.2004 — #it is a popular firewallthat is personally configured[/QUOTE] And the name would be?

@steelersfan88Apr 11.2004 — #i don't feel like telling any of the programs I use, other tha Notepad and IE ?

@CardboardHammerApr 12.2004 — #[i]Originally posted by steelersfan88 [/i]

[B]...

I really could not tell you how it works, since I really don't understand how it does its job, but it sure is a great way to keep me safe. ...[/B][/QUOTE]

So how do you know that it actually DOES work?

@steelersfan88Apr 12.2004 — #Cause you can test it ? It has a testing program which creates a file that is attcked. The contents of the file are evaluated to see how well the firewall works. You can also test it on the Internet. It connects to a server (undisclosed) and attacks the file, then evaluates the contents of the file. (Then restores file for next use).

It also allows you to individually test each option, which run in this manner. When I said I don't know how they do it, I meant that I don't understand the way the program is coded.

Kinda unnecessary with the comment there, you are lucky Ryan is in Florida ?

@ray326Apr 12.2004 — #[i]Originally posted by steelersfan88 [/i]

[B]i don't feel like telling any of the programs I use, other tha Notepad and IE ? [/B][/QUOTE]
Oh, as they used to say on Kotter, UYNWARH. ?

@steelersfan88Apr 12.2004 — #i guess we could say that ? Well it rhymes anyway, kinda lame if you ask me ?

@steelersfan88Apr 13.2004 — #Thanks for the edit, whoever (maybe Pete, since you were looking at the thread)

@LarzmanApr 13.2004 — #Hey SteelersFan, so you say that you like IE and you have this incredible firewall to protect it. Gee, I'm sure everyone out here can config their fiewall so well (like you purportedly do) that it will protect IE. Why not just plug the biggest security hole (IE) on your pc? It's a hell of a lot easier and takes the skills that everyone has, even newbies. Changing browsers takes anywhere from 2 ~ 15 minutes, depending on connection speed for download. Not only do you get much improved security over IE, you must really be a newbie if you don't used tabbed browsing.

Go ahead, spend hours customizing you firewall, I'll stick with Firefox and spend my time enjoying the Web while you secure your pc.

- Larzman

@steelersfan88Apr 13.2004 — #You must have read the rest of my posts. I run my firewall over all my programs, even the local ones. I do not have to customize my firewall more than once, there is a save settings option ? I also have Mozilla installed and have found it not be what I needed. Jona pointed out why before: because as a programmer, and not a designer, IE is more convenient, more flexible, and more appropriate for what I need.

You also have the fact that all my sites are browser compatible, and that my two favorite sites are all IE-only, since I make the user use an IE browser to view it, and the user doesn't get a choice ? Therefore, knowledge of VBScript, JScript, and the rest of IE-big/only languages can be manipulated.

I've said in the past that I do design several sites, and I do ensure they are browser compatible, but if I need them to be compatible with both, does it matter which browser I use. The thing I like more about IE that makes me use it, I can edit the source code using View -> Source ? If Mozilla alloed editing of the source, then I would be a user of both browsers ?

@SamApr 13.2004 — #just out of curiosity, is [URL=http://js-articles.8m.net/]this[/URL] your site?

@steelersfan88Apr 13.2004 — #it could have been worse, since it is directly linked in my profile. The fact that the ms word documents open in word, rather than the browser are because IE (being microsoft) is configured to work with microsoft word, as other browsers are not

the articles are not copyright to me, the actual writer is looking for comments from newbies and usage, but if you want to send him some comments, you can do so, post and i will forward to him. His name will NOT be identified for security ?

@SamApr 13.2004 — #[i]Originally posted by steelersfan88 [/i]

[B]If Mozilla alloed editing of the source, then I would be a user of both browsers ? [/B][/QUOTE]
its even quicker, you can add a nice MozEdit button anywhere on your chrome.

[upl-file uuid=aa06805a-7cda-4f5d-b361-4a836f9dcaaf size=20kB]capture.jpg[/upl-file]

@SamApr 13.2004 — #[i]Originally posted by steelersfan88 [/i]

[B]

the articles are not copyright to me, the actual writer is looking for comments from newbies and usage, but if you want to send him some comments, you can do so, post and i will forward to him. His name will NOT be identified for security ? [/B][/QUOTE]
Actually, the reason I was asking was because it is entirely inaccessible in mozilla. Throws a javascript error onchange of the combobox

@steelersfan88Apr 13.2004 — #its not as quicker as menu (or whatever you want to call it; the one next to the Windows key) key, then v. And I use Notepad anyway, so it's convenient for me ?

@LarzmanApr 16.2004 — #It's too bad you design only for IE. I know many people who will leave your site at the click of the Back button when they see that idotic "Only IE users" flag. I think it only shows a lack of skill when you design for only 1 browser, as 12% and climbing of Web users are NOT USING IE. That stat is from my commercial website that gets around 40k/hits week. Too bad your missing those users, I hop your not selling anything, as they certainly won't buy from a company/website with weak programming/Web skills that caters only to IE lackies. That stat is also backed by Forrestor Research, maybe you should step into the "real" Web world and start programming (like most professional websites) for W3C compatibility, as IE /Microsoft are beginning to see the next tech revolution to Open Source/Universal Compatibility standards.

Good luck with your site, once again, sorry for your misfortune of being IE only. You actually sound like someone with some skills, or are you just another MS pawn?

@Khalid_AliApr 16.2004 — #[b]It seems like this thread has served its purpose.I'd like to know why I should not close it(unless you guys stop posting in it)[/b]

@steelersfan88Apr 16.2004 — #go ahead and close the thread Khalid, I find that a good idea, although that's because I found no purpose for the thread to begin with ?

@fredmvauthorApr 16.2004 — #It does have a purpose: to let people know how dangerous it is to run IE. It also seems as if you avoidied [b]Larzman[/b]'s post.

@steelersfan88Apr 16.2004 — #Actually Fred, no i did not. I sent him a private message, since he, as you, do not read completely my posts before make a presumptuous guess at what I refer to. I attempted to clear things up, but I do encourage the closing of the thread. I also want to encourage you fred: do your job, and stick to it ?

@fredmvauthorApr 16.2004 — #I would've had no way of knowing that. Generally, when someone makes a post you reply to them in that same thread in which they made that post. I guess it has to be done privately so people like myself can't disprove any lies or otherwise incorrect information. This thread can be closed, that's fine. What's important is that people realize the dangers of running IE.

@steelersfan88Apr 16.2004 — #Actually, I told him in private for the sole fact that I've said it before many times, and I didn't want to have to say it again. Close the thread please Khalid, Ryan if you ever come back, Pete, one of you ? The thread from the beginning was at sake for starting an argument about security flaws, not informing of them, because fred, and i quote, "likes arguing about this," as he previously told me

words come back t haunt you fred, I know why you are here ?

EDIT: Actually fred, so far you have yet to disprove me with facts so far, and i think this thread was another attempt, and another failure. being of that purpose, somebody do us all a favor and say bye to this thread ?

@fredmvauthorApr 16.2004 — #Come back to haunt me? Not at all. I enjoy debating about things like this because I think people should be informed with only correct information.

@steelersfan88Apr 16.2004 — #you enjoying informing people about things, so you can debate, not the other way around, as you put it ?

@fredmvauthorApr 16.2004 — #I only debate about things when necessary (i.e., when someone else presents incorrect information).

@steelersfan88Apr 16.2004 — #i find that to be false, and that is nice and simplified, so you can't take it out of context

@Khalid_AliApr 16.2004 — #as its obvious that its not going anywhere,though I do agree with freds idea of bringing browser vulnerabilities in to the light so that people who don't know about possible security problems they do know.

Thanks for such a passionate participation all..