U.S. Steers Consumers Away From IE

Re: U.S. Steers Consumers Away From IE

Justin Koivisto wrote:[color=blue]
> http://story.news.yahoo.com/news?tmp...=/cmp/22103407
>[/color]

from the page: "The only defense may be completely disabling scripting and
ActiveX controls."

Seems to me that bit isn't really new news.

[color=blue]
> OK, for those of you that actually know me...
>
> $regexp='I told (you|them) to (disable ActiveX|(stop using (IE|IIS)))
> long ago.';[/color]

.... or die;

--
William Tasso

Re: U.S. Steers Consumers Away From IE

William Tasso wrote:
[color=blue]
> Justin Koivisto wrote:
>[color=green]
>>http://story.news.yahoo.com/news?tmp...=/cmp/22103407[/color]
>
> from the page: "The only defense may be completely disabling scripting and
> ActiveX controls."
>
> Seems to me that bit isn't really new news.[/color]

No, not news.... just finally came from someone who has more clout than
I. ;)
[color=blue][color=green]
>>OK, for those of you that actually know me...
>>
>>$regexp='I told (you|them) to (disable ActiveX|(stop using (IE|IIS)))
>>long ago.';[/color]
>
> ... or die;[/color]

:-D

--
Justin Koivisto - spam@koivi.com
PHP POSTERS: Please use comp.lang.php for PHP related questions,
alt.php* groups are not recommended.

Re: U.S. Steers Consumers Away From IE

On Fri, 02 Jul 2004 20:29:11 GMT, Justin Koivisto <spam@koivi.com > wrote:
[color=blue]
> http://story.news.yahoo.com/news?tmp...=/cmp/22103407
>
> OK, for those of you that actually know me...
>
> $regexp='I told (you|them) to (disable ActiveX|(stop using (IE|IIS)))
> long ago.';[/color]

Just proof that the DoHS gets *some* things right. ;) Although you could
argue that taking so long to actually say it counts against them!

Grey

--
The technical axiom that nothing is impossible sinisterly implies the
pitfall corollory that nothing is ridiculous.
- http://www.greywyvern.com - Orca Knowledgebase: Completely CSS styleable
Knowledgebase/FAQ system

Re: U.S. Steers Consumers Away From IE

Just thought you all should read this part too:

*************** *************** ***********

On Friday, however, the security vendor modified the alert to claim that
virtually every browser, from Internet Explorer and Mozilla to Opera and
Netscape -- including browsers for both Windows and the Mac OS -- has
this flaw.

“It's not a code vulnerability,” said Secunia's Kristensen, “but a
design flaw.”

The problem stems from how browsers handle frames. “Some time ago,
browser designers decided that one site needed to be able to manipulate
the content of another, and the functionality was adopted by everyone,”
said Kristensen. But hackers can use this to inject phony content -- say
their own credit card-stealing form -- into a frame of an actual trusted
Web site, such as a user's online bank.

*************** *************** ************

Notice the first paragraph - All browsers have this problem.

Full article at this location:


--
--
spamfree999@rro hio.com
(Remove 999 to reply to me)

Re: U.S. Steers Consumers Away From IE

GreyWyvern wrote:[color=blue]
> On Fri, 02 Jul 2004 20:29:11 GMT, Justin Koivisto <spam@koivi.com > wrote:
>[color=green]
>> http://story.news.yahoo.com/news?tmp...=/cmp/22103407
>>
>> OK, for those of you that actually know me...
>>
>> $regexp='I told (you|them) to (disable ActiveX|(stop using (IE|IIS)))
>> long ago.';[/color]
>
>
> Just proof that the DoHS gets *some* things right. ;) Although you
> could argue that taking so long to actually say it counts against them!
>
> Grey
>[/color]

As I have stated here (recently) if you are using IIS you need to have
your head examined... (or shot - a nice .44 should do quite nicely :)
!!). However an esteemed peer had suggested that a lot of Fortune 1000
companies use them without incident... If MS is a fortune 1000 company
with loads of $$$ and still gets slammed regularly - what does that say
to the rest of us. I know of many Fortune 1000 companies that have been
hit despite all of the firewall/AV solutions put into place. The ONLY
way to prevent it is to not use IIS on the front line. - Maybe
internally, but never externally.

Everyone has been spouting ActiveX and other client-side scripting tools
and while these are "great, whiz-bang, neato", most of the content being
delivered by these methods provide very little to "enhance" the content
itself (or in most cases even the experience). The "architects " of most
of these sites never take into account that 50% or more of the viewers
of their "site" do not have access to anything > 56K (and in most rural
areas of the country are lucky to get 26.6K) - thereby just wasting
corporate $$$ on the development of something that most people choose
not to, or give up trying to see...

There is always something to be said for the KISS principle. Keep It
Simple Stupid!!

Michael Austin.
On the Internet long before it was the WWW.

Re: U.S. Steers Consumers Away From IE

On Fri, 02 Jul 2004 21:15:10 GMT, Leythos <void@nowhere.c om> wrote:
[color=blue]
>Just thought you all should read this part too:
>
>************** *************** ************
>
>On Friday, however, the security vendor modified the alert to claim that
>virtually every browser, from Internet Explorer and Mozilla to Opera and
>Netscape -- including browsers for both Windows and the Mac OS -- has
>this flaw.
>
>“It's not a code vulnerability,” said Secunia's Kristensen, “but a
>design flaw.”
>
>The problem stems from how browsers handle frames. “Some time ago,
>browser designers decided that one site needed to be able to manipulate
>the content of another, and the functionality was adopted by everyone,”
>said Kristensen. But hackers can use this to inject phony content -- say
>their own credit card-stealing form -- into a frame of an actual trusted
>Web site, such as a user's online bank.
>
>************** *************** *************
>
>Notice the first paragraph - All browsers have this problem.
>
>Full article at this location:
>http://www.techweb.com/wire/story/TWB20040702S0007[/color]

Then follow the link at the bottom.

"Secunia offered up a quick test that users can run to see if their current
browser is vulnerable to this problem."

Following that through a few steps leads to the test.



Just tried it in Mozilla 1.7. Doesn't do anything.

--
Andy Hassall <andy@andyh.co. uk> / Space: disk usage analysis tool
http://www.andyh.co.uk / http://www.andyhsoftware.co.uk/space

Re: U.S. Steers Consumers Away From IE

Andy Hassall schrieb:
[color=blue]
> Just tried it in Mozilla 1.7. Doesn't do anything.[/color]

Mozilla 1.7 and Firefox 0.8 are clean. *phew*

The first time I read something about this frame-spoofing problem was
November 1998(!) in the german computer magazine c't.

Regards,
Matthias

Re: U.S. Steers Consumers Away From IE

William Tasso wrote:
[color=blue]
> Justin Koivisto wrote:[color=green]
>> http://story.news.yahoo.com/news?tmp...=/cmp/22103407
>>[/color]
>
> from the page: "The only defense may be completely disabling
> scripting and ActiveX controls."
>
> Seems to me that bit isn't really new news.[/color]

I have them set to prompt. Can be a pain sometimes. I have been trying to
use Firefox more often.
--
Charles Sweeney

Re: U.S. Steers Consumers Away From IE

Michael Austin wrote:
[color=blue]
> Everyone has been spouting ActiveX and other client-side scripting
> tools and while these are "great, whiz-bang, neato", most of the
> content being delivered by these methods provide very little to
> "enhance" the content itself (or in most cases even the experience).
> The "architects " of most of these sites never take into account that
> 50% or more of the viewers of their "site" do not have access to
> anything > 56K (and in most rural areas of the country are lucky to
> get 26.6K) - thereby just wasting corporate $$$ on the development of
> something that most people choose not to, or give up trying to see...
>
> There is always something to be said for the KISS principle. Keep It
> Simple Stupid!![/color]

Hear hear!

--
Charles Sweeney

Re: U.S. Steers Consumers Away From IE

In article <u0mbe0thtimf7f oa5cud2bqpog1ts 0phs5@4ax.com>,
andy@andyh.co.u k says...[color=blue]
> On Fri, 02 Jul 2004 21:15:10 GMT, Leythos <void@nowhere.c om> wrote:
>[color=green]
> >Just thought you all should read this part too:
> >
> >************** *************** ************
> >
> >On Friday, however, the security vendor modified the alert to claim that
> >virtually every browser, from Internet Explorer and Mozilla to Opera and
> >Netscape -- including browsers for both Windows and the Mac OS -- has
> >this flaw.
> >
> >“It's not a code vulnerability,” said Secunia's Kristensen, “but a
> >design flaw.”
> >
> >The problem stems from how browsers handle frames. “Some time ago,
> >browser designers decided that one site needed to be able to manipulate
> >the content of another, and the functionality was adopted by everyone,”
> >said Kristensen. But hackers can use this to inject phony content -- say
> >their own credit card-stealing form -- into a frame of an actual trusted
> >Web site, such as a user's online bank.
> >
> >************** *************** *************
> >
> >Notice the first paragraph - All browsers have this problem.
> >
> >Full article at this location:
> >http://www.techweb.com/wire/story/TWB20040702S0007[/color]
>
> Then follow the link at the bottom.
>
> "Secunia offered up a quick test that users can run to see if their current
> browser is vulnerable to this problem."
>
> Following that through a few steps leads to the test.
>
> http://secunia.com/multiple_browsers...rability_test/
>
> Just tried it in Mozilla 1.7. Doesn't do anything.[/color]

I just tried it on my IE6 and nothing happened either. the MSDN page was
fine, the second one didn't even launch when I clicked on it.

--
--
spamfree999@rro hio.com
(Remove 999 to reply to me)

Re: U.S. Steers Consumers Away From IE

In article <MPG.1b4fb719dd a27d8698a735@ne ws-server.columbus .rr.com>,
void@nowhere.co m says...[color=blue][color=green]
> > Then follow the link at the bottom.
> >
> > "Secunia offered up a quick test that users can run to see if their current
> > browser is vulnerable to this problem."
> >
> > Following that through a few steps leads to the test.
> >
> > http://secunia.com/multiple_browsers...rability_test/
> >
> > Just tried it in Mozilla 1.7. Doesn't do anything.[/color]
>
> I just tried it on my IE6 and nothing happened either. the MSDN page was
> fine, the second one didn't even launch when I clicked on it.[/color]

To follow my own post, I've always set the "Trusted" zone in IE to
"Medium" and the "Internet" zone to "High" and disabled scripting in
Internet zone.

As a side test, I opened a (trusted) site and the clicked on the link
and still nothing happened - seems that if you run IE in a secure mode
that you don't really have that much of a problem.

--
--
spamfree999@rro hio.com
(Remove 999 to reply to me)

Re: U.S. Steers Consumers Away From IE

Charging up on a white horse Andy Hassall said:
: http://secunia.com/multiple_browsers...rability_test/
:
: Just tried it in Mozilla 1.7. Doesn't do anything.

When I clicked as normal people would it did show the other sites
content under the wrong url.

However I am not normal. I open new links in new windows :p
so it won't work on me LOL.


--
Heidi
Recommended Hosting: http://www.page-zone.com/
Put a.w.w. in subject to email me

Re: U.S. Steers Consumers Away From IE

Matthias Esken wrote:
[color=blue]
> Andy Hassall schrieb:
>[color=green]
>> Just tried it in Mozilla 1.7. Doesn't do anything.[/color]
>
> Mozilla 1.7 and Firefox 0.8 are clean. *phew*[/color]

For me, it did "inject" in both Firefox 0.8 and Konqueror 3.2.3.

Re: U.S. Steers Consumers Away From IE

In article <i7sFc.86184$kL 6.32520@newssvr 29.news.prodigy .com>,
agt@mindless.co m says...[color=blue]
> Matthias Esken wrote:
>[color=green]
> > Andy Hassall schrieb:
> >[color=darkred]
> >> Just tried it in Mozilla 1.7. Doesn't do anything.[/color]
> >
> > Mozilla 1.7 and Firefox 0.8 are clean. *phew*[/color]
>
> For me, it did "inject" in both Firefox 0.8 and Konqueror 3.2.3.[/color]

As they said, it's about Java Scripting - if you have it enabled then
you are vulnerable. The key, even with IE, is to disable all scripting
(java or ActiveX) in your IE Internet security zone, then set your IE
Trusted Zone to Medium security. No pop-ups, nothing, works like a
champ.

If you get to a site that doesn't work, because you disabled scripting,
and it's a site you really want to trust, then add the site to your IE
Trusted Zone - make sure you keep the Trusted Zone at MEDIUM, it
defaults to LOW.

--
--
spamfree999@rro hio.com
(Remove 999 to reply to me)