Internet Explorer Local File Weakness !

No problem, it's not critical and, as is the case with so many of these Secunia 'weaknesses', it does not apply when you are safely configured with Active Scripting disabled.

 

Does that mean more than half of the reported vulnerabilities in IE could be avoided by disabling active script

 

It is very much a weakness. Putting it in quotes makes it sound as if it's no big deal. IE is one big deal to ANYBODY who cares about security. It is a HORRIBLE excuse for a browser in the 21st century. Like every other computer security organization in the world, I suggest you put it out to pasteur where it belongs. IE defenders on a security site makes absolutely no sense at all.

 

Yep....and so can opening some e-mail attachments, not properly securing a Firewall, freely downloading software....etc....but it helps with links such as you have posted so users can be aware of vulnerabilities and that it is very simple to prevent the exploit with a simple setting.

 

If by providing info about a very easily secureable browser to those that wish to learn the facts is defending IE in your book....then so be it.

What a crock of crap

Those that wish to learn that IE can be secure will learn that fact....and nothing folks like yourself can say will change that fact. Is IE for the less knowledgeable....Heck no....but it's a simple browser that can be secure and it's secured everyday by folks at many Security Sites.

 

Use it at sites that require it. But why use an inferior browser? I don't get it. CERT, SANS, everybody agrees that IE cannot be "made safe" like it needs to be as long as it is built into the Windows operating system. Why use a browser from a company that obviously cares very little about your experience on the web? They make BILLIONS. Their refusal to build a better browser that isn't integrated and doesn't need updates twice a week is inexcusable. ON PRINCIPLE, I simply don't see how security minded people can use such garbage. Firefox is FAR superior, as is Opera. Why make excuses for, and continue to use, an inferior and insecure product integrated with Window with the excuse that it can be "made safe." Would you continue to drive a car that requires recalls every week to "make it safe"??

 

As a Global Moderator, I am surprised at your language because you disagree!

Tell CERT that it can be made secure. Tell SANS. Why have they both urged people to STOP USING Internet Explorer. Your defense of the indefensible with such gusto is surprising.

But, just so I have this straight, a "Global Moderator" at a computer oriented web site defends IE. You realize that is a little odd?

My opinion is not "a crock of crap". It is the accepted opinion of security pros who deal with it every day for a living. YOUR opinion is in a tiny minority of people who know anything about security. Now, what's a "crock of crap"

 

No....what's inexcusable is folks like yourself making comments such as that when there is not an ounce of truth concerning updates twice a week....give me a break.

Who in the Sam Hill is making excuses....perhaps the problem is users like yourself can not stand the fact that certain programs such as IE can be used by many, many, many Security minded users without having to resort to an alternative browser.

What is it with this...."CERT, SANS, everybody"....do you really think because you use FF or Opera that now the majority of Security minded users have joined you....whatever

We can make this simple....you continue with your preaching in what you feel is the best browser for you and the masses....and I'll continue my preaching that IE is still used by millions of Security minded individuals BUT it is not very safe for the less knowledgeable individuals....and....it can be easily secured with not an ounce of bother

 

Someone just interrupted a chat to point to this thread. Wilders "security" is one very interesting place if its mods defend IE. I have visited here 2 or 3 times before and am always surprised at the amateur attempts at explaining "security." Bubba, I see you are a member of this ASAP, a faux organization that is full of sixteen year olds interpreting HJT logs. ASAP has about as much credibility as OJ Simpson. You people are an interesting bunch. Most people know this forum for the NodHeads and DCSDiamond worshipers. You guys realize these two companies are virtual unknowns in my country (U.S)? DSCS is a garage operation and Wilders people think it's some great software company. LOL! You all are also known for your deletions for anything critical so my guess this will be up mere minutes. Security. HA!

 

california guy, I agree that defending IE is bizarre, but I think you're being a little harsh on the site as a whole.

 

Perhaps crap was not a good choice of words....perhaps garbage would have been better ?

I was always the odd man out....but....as I said earlier....that if by using IE makes me a defender of IE in your book....so be it. I use IE....and for my surfing habits I have no desire to teach this dog new tricks.

That's your opinion not based on facts and Please don't believe everything folks like Sans\Cert report....make some of these easy choices yourself

 

Heh, "Nodheads and DCSDiamonds worshippers" , harsh but accurate

 

It means that more than half the Secunia weaknesses apply to default settings, and can be secured against with safe settings which, in this case, requires active scripting to be disabled.

Some of the Secunia vulnerabilities are implausible, one for example, apparently requires that you do online banking in one IE window, whilst viewing your favourite porno site in another! A somewhat unlikely scenario for the safety conscious!

Interestingly, of the few Firefox vulnerabilities reported by Secunia, several cannot be avoided by changing your settings - does this mean Firefox is more dangerous than I.E.?!!

Well in that case what are you doing here!

 

I do agree the "phishing tricks" are often kind of ridiculous and almost impossible to guard against (if users are dumb enough nothing can protect them,) but those werent the ones I was worried about.

Let me put it this way, how many times have MS left IE users completely exposed, with critical exploits known to the public that involve remote execution of arbitary code (or classed as highly critical if you prefer) unpatched for weeks?

How many times have firefox done it?

I rest my case.

Not really.

As I see it, securing IE as recommended by most people usually simply means preventing themselves from being infected by driveby spyware downloads. This usually involve a series of methods, from netuering known "spammy" sites
(by placing them in the restricted zone) and or totally blocking them with spywareblaster killbit blocks or host files.

If this is the level of security you want, it might be acceptable, though you have to spend a lot of effort updating your software, since this is a signature based approach of protecting yourself.

Even then, once in a while it might fail, because you were less than dilgent in updating your list of restricted sites, or the maintainer of the list missed it... And of course this won't protect you when normally trust worthy sites starts sending you ads designed to exploit the latest unpatched zero day explpit from a hacked ads server

Using an alternative browser totally kills off this problem, without any effort. Let me put this to you , if you could run one software that made you totally immune to all malware and another that in most cases could protect you but neededly maintance, which would you choose?

But wait, you might tell me, securing IE can be done, by totally restricting everything from javascript to java in the internet zone and only allow trusted sites to run such "dangerous technologies"

Granted this will protect you from many exploits (say 80%) including unknown ones, but again you run into the problem of loss of functionality, and the cost of maintaining your trusted zone.

So my feeling is that while IE can be secured, it is way too much effort.

Either you surf like a monk , and turn everything off, which is no way to surf, or you become some kind of security freak, monitoring every security forum and newsgroup for the latest exploit, then doing various work arounds.

I dont think that's accurate. Firefox and mozilla has a lot of options hidden "under the hood", you can see them by typing about:Config in the address bar.

With 2 simple tweaks for example, you can defeat almost all phishing tricks, and without completely disabing Javascript I might add.

I'm one of you of course lol.

 

I don't really agree simply because the most dangerous sites are able to exploit Windows vulnerabilities that will potentially affect people irrespective of the browser they use. You can protect yourself, without undue effort, against the avalanche of spyware afflicting surfers, because this is aimed largely at those on default settings which is sufficient to catch enough 'suckers' to make it worthwhile.

Well it is strange then that under their 'solutions' section, secunia don't advise you what settings are required and merely recommend things like:-

"Do not browse untrusted sites while browsing trusted sites"

"Do not follow download links from untrusted sources".

"Do not follow untrusted links", etc.

 

Well, seems like microsoft is rather lazy, they rely on other people to secure IE for them. IE is a browser that can be secured, but the next moment its not secure anymore because of another security hole.
One moment its secure, the next moment its not. Then you need to secure it again!

 

Seems to me you are shifting your ground now. Or perhaps just attacking a strawman argument.

You are saying that there are critical windows exploits that affect every windows machine. That is true of course. But that will require that you run whatever they are doing locally on your machine because alternative browsers are not as wired into the OS as IE is.

Okay even if I grant you that there are sites that can do this, like say the old shell exploit in firefox 0.9 which mistakenly handled off to the OS, but such problems will affect all windows machine, so we cannot say IE is superior.

On the other hand, my other arguments about how alternative browsers are completely protected against other malware still stands. Would you prefer to be completely immune to all of these kinds of crap, or would you patch your system ad hoc, every week, hoping that the good guys don't accidently, miss out some evil site or some evil CSLID?

Also as I pointed out MS's IE security record is infamous for leaving users completely unprotected from *SERIOUS* exploits that have being known to the public for months, I notice you chose to ignore this point.

I suppose experts like yourself have no problem since you read secunia everyday, but we poor users are not so lucky

Heh Secunia is becoming like the AOL of "security experts" , try reading other sites. Heck even NTbugtraq (hardly the most elite mailing list out there) has mentioned this.

And of course various mozilla based sites. You dont have to believe me, just try them.

 

Hi, funny

Very good posts, thank you.

I have a question if I may:-

How please?

Thanks in advance.
Take Care,
TheQuest