Author Topic: 'Critical' IE Security Warning Released  (Read 17579 times)

0 Members and 1 Guest are viewing this topic.

Offline MWassef

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1315
'Critical' IE Security Warning Released
« on: November 28, 2003, 07:49:05 AM »
MW

galaxyclass

  • Guest
Re:'Critical' IE Security Warning Released
« Reply #1 on: November 28, 2003, 06:42:38 PM »
QUOTE:
Independent security consultant Secunia has rated the flaws 'Extremely Critical' and urged IE users to disable Active Scripting as a workaround until Microsoft issues a fix.


I use IE and am quite worried about this, is this advice correct and if so how do I go about doing this and what effect will it have pro/con wise?

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re:'Critical' IE Security Warning Released
« Reply #2 on: November 28, 2003, 07:07:31 PM »
I dont see this on the Internet Security Systems website. Here is the current alertcon

Current AlertCon


AlertCon 1 - Regular vigilance. Ordinary activity compromises an unprotected network minutes to hours after first being connected to the Internet.
Vulnerabilities

Opera: Opera is a Web browser, developed by Opera Software, for multiple operating systems. Opera versions 7.22 and earlier are vulnerable to a buffer overflow, caused by improper bounds checking by the zip process code when handling skin files. A remote attacker could create a malicious file to overflow a buffer and execute arbitrary code on the vulnerable system. An attacker could exploit this vulnerability by creating a malicious Web page or by sending a victim a malicious HTML email.
Recommendations

Opera: Upgrade to the latest version of Opera (7.23 or later), available from the Opera. Web site.
Threat Forecast

We anticipate remaining at Level 1 through November 30th.
"People who are really serious about software should make their own hardware." - Alan Kay

techie101

  • Guest
Re:'Critical' IE Security Warning Released
« Reply #3 on: November 29, 2003, 01:10:55 AM »
Min,

I reviewed this super critical nonsense article which says nothing more than Windows and IE users know already.  IE does have vulnerabilities that need to be addressed, and MS does so in a timely manner.

Check Windows Update frequently, or download the Critical Updater from MS which will alert you to any critical updates that your system needs.

As a matter of fact, I was notified earlier that there is another IE critical update available which I downloaded.

Don't worry too much about the "GLOOM AND DOOM" experts.

Keep you Windows updated, make sure you have a good firewall in place and naturally use AVAST !

techie

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re:'Critical' IE Security Warning Released
« Reply #4 on: November 29, 2003, 02:19:53 AM »
Keep you Windows updated, make sure you have a good firewall in place and naturally use AVAST !
techie

Fully agree with techie. Although IE is not a secure application, you can sleep very well following some security procedures...  ;D
The best things in life are free.

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re:'Critical' IE Security Warning Released
« Reply #5 on: November 29, 2003, 03:38:46 AM »
is there any way i can completely remove IE from my system and use ONLY Mozilla ????
"People who are really serious about software should make their own hardware." - Alan Kay

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re:'Critical' IE Security Warning Released
« Reply #6 on: November 29, 2003, 03:50:24 AM »
is there any way i can completely remove IE from my system and use ONLY Mozilla ????

On a XP System you can configure Mozilla as the default browser.
If you are at SP1, you can access the 'Access and Programs' Applet and configure the Internet browser...
I'm affraid you won't succeed in removing IE from a XP System. Also you will get into very hot water... A tons of things could become incopatible... I really do not recommend... At lower OS, like 98 and Me, there were some applications which 'allow' the user to desinstall IE but, indeed, you will find a lot of trouble...  :(
The best things in life are free.

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re:'Critical' IE Security Warning Released
« Reply #7 on: November 29, 2003, 04:21:58 AM »
rate all theese flaws affect IE I just wanted to get rid of another pice of bill gates  ;) ( Bill has NO control over mac thats why I like them so much )
"People who are really serious about software should make their own hardware." - Alan Kay

kubecj

  • Guest
Re:'Critical' IE Security Warning Released
« Reply #8 on: November 29, 2003, 10:57:59 PM »
I reviewed this super critical nonsense article which says nothing more than Windows and IE users know already.  IE does have vulnerabilities that need to be addressed, and MS does so in a timely manner.

Techie, have you seen this link?
http://continue.to/trie

I don't believe M$IE for a long time, especially their ActiveX stuff...

techie101

  • Guest
Re:'Critical' IE Security Warning Released
« Reply #9 on: November 30, 2003, 07:10:53 PM »
kubej,

The article was very informative.  Yes, I agree.  MS does not tell all.

techie

galaxyclass

  • Guest
Re:'Critical' IE Security Warning Released
« Reply #10 on: December 04, 2003, 03:35:13 PM »
I found this article on CNET's news section:

CNET News.com

In the 3rd paragraph there is a link to a site explaining how to disable Active Scripting, is the advice correct and what affect will it have on me if I disable it? Also, can I disable Active Scripting on it's own without following any of the other advice?

I want to be secure but I also want to be able to enjoy the 'net without too many restrictions.

Thanks as always,
notdarkyet.

Hornus Continuum

  • Guest
Re:'Critical' IE Security Warning Released
« Reply #11 on: December 10, 2003, 12:25:56 AM »
notdarkyet,

Yes, you can disable Active Scripting on it's own.  Disabling scripting, ActiveX Controls, and Java applets can have a negative impact on the usability of some sites, but in my experience most work just fine.  A couple of things you can do:

1)  Disable these features in the Internet Zone and enable them in the Trusted Zone, adding any web sites that you regularly visit that you trust to the latter.

2) Configure Internet Explorer to prompt you for permission to use them.  This makes it easier to deal with pages that don't display or function properly.  Just click the refresh button on the toolbar and give permission the second time around.

I downloaded the following from a web site some time ago, but I saw the same information in a Microsoft Knowledge Base article.

Quote
The following options dictate how Internet Explorer approves, downloads, runs, and scripts ActiveX controls and plug-ins.  If a user downloads an ActiveX control from a site that is different from the page on which it is used, Internet Explorer applies the more restrictive of the two sites' zone settings.  For example, if a user views a Web page within a zone that is set to permit a download, but the code is downloaded from another zone that is set to prompt a user first, Internet Explorer uses the prompt setting.
 
Download signed ActiveX controls:

This option determines whether users can download signed ActiveX controls from a page in the zone.  This option has the following settings:
 
Disable, which prevents all signed controls from downloading.

Enable, which downloads valid signed controls without user intervention and prompts users to choose whether to download invalid signed controls, that is, controls that have been revoked or have expired.

Prompt, which prompts users to choose whether to download controls signed by publishers who are not trusted, but still silently downloads code validly signed by trusted publishers.

Download unsigned ActiveX controls:

This option determines whether users can download unsigned ActiveX controls from the zone. This code is potentially harmful, especially when it comes from an untrusted zone.  This option has the following settings:

Disable, which prevents unsigned controls from running.

Enable, which runs unsigned controls without user intervention.

Prompt, which prompts users to choose whether to allow the unsigned control to run.

Initialize and script ActiveX controls not marked as safe:

ActiveX controls are classified as either trusted or untrusted. This option controls whether a script can interact with untrusted controls in the zone.  Untrusted controls are not meant for use on Internet pages, but in some cases they can be used with pages that can be absolutely trusted not to use the controls harmfully.  Object safety should be enforced unless you can trust all ActiveX controls and scripts on pages in the zone.  This option has the following settings:

Disable, which enforces object safety for untrusted data or scripts. ActiveX controls that cannot be trusted are not loaded with parameters or scripted.

Enable, which overrides object safety.  ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts.  This setting is not recommended, except for secure and administered zones.  This setting causes Internet Explorer to initialize and script both untrusted and trusted controls and ignore the Script ActiveX controls marked safe for scripting option.
 
Prompt, which attempts to enforce object safety.  However, if ActiveX controls cannot be made safe for untrusted data or scripts, users are given the option of allowing the control to be loaded with parameters or to be scripted.
For more information about how to make ActiveX controls safe, see the MSDN Online Web site.

Run ActiveX controls and plug-ins:

This option determines whether Internet Explorer can run ActiveX controls and plug-ins from pages in the zone. This option has the following settings:

Administrator approved, which runs only those controls and plug-ins that you have approved for your users.  To select the list of approved controls and plug-ins, use Internet Explorer system policies and restrictions.  The Control Management category of policies enables you to manage these controls.

Disable, which prevents controls and plug-ins from running.

Enable, which runs controls and plug-ins without user intervention.

Prompt, which prompts users to choose whether to allow the controls or plug-ins to run.

Script ActiveX controls marked safe for scripting:

This option determines whether an ActiveX control that is marked safe for scripting can interact with a script.  This option does not affect controls that are loaded with <param> tags. This option has the following settings:

Disable, which prevents script interaction.  Disabling ActiveX control scripting will also prevent applets from being scripted.

Enable, which allows script interaction without user intervention.

Prompt, which prompts users to choose whether to allow script interaction.

Internet Explorer ignores this option when Initialize and script ActiveX controls that are not marked safe is set to Enable, because that setting bypasses all object safety.  You cannot script unsafe controls while blocking the scripting of the safe ones.

Note: In Internet Explorer 5 and earlier versions of the browser, this option was enabled for all security levels.  If you upgrade to Internet Explorer 6 and you did not disable this option in your previous browser version, it will remain enabled in Internet Explorer 6.

Scripting options specify how Internet Explorer handles scripts.

Active scripting:

This option determines whether Internet Explorer can run script code on Web pages in the zone.  This option has the following settings:

Disable, which prevents scripts from running.

Enable, which runs scripts without user intervention.

Prompt, which prompts users about whether to allow the scripts to run.
 
Allow paste operations via script:

This option determines whether a Web page can cut, copy, and paste information from the Clipboard.  This option has the following settings:
 
Disable, which prevents a Web page from cutting, copying, and pasting information from the Clipboard.

Enable, which allows a Web page to cut, copy, and paste information from the Clipboard without user intervention.

Prompt, which prompts users about whether to allow a Web page to cut, copy, or paste information from the Clipboard.

Scripting of Java applets:

This option determines whether scripts within the zone can use objects that exist within Java applets.  This capability allows a script on a Web page to interact with a Java applet.  This option has the following settings:

Disable, which prevents scripts from accessing applets.

Enable, which allows scripts to access applets without user intervention.

Prompt, which prompts users about whether to allow scripts to access applets.

Internet Explorer ignores this option when Script ActiveX controls marked safe for scripting is set to Disable.  In this case, Scripting of Java applets is also disabled.

Regards,
Hornus

galaxyclass

  • Guest
Re:'Critical' IE Security Warning Released
« Reply #12 on: December 12, 2003, 07:25:12 PM »
Hi Hornus,

I've been busy so wasn't able to reply until now, thanks for posting answers to my questions and that article. I'll now see about closing up any more holes in my security.  ;)

notdarkyet

CoJo

  • Guest
Re:'Critical' IE Security Warning Released
« Reply #13 on: December 16, 2003, 09:19:48 PM »
Hornus, thank you so much for the information!!
cojo