Internet Explorer security discussion thread

Discussion in 'other security issues & news' started by MrBrian, Dec 10, 2014.

  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Update enables SSL 3.0 fallback warnings in Internet Explorer 11:
    ----------

    December 2014 Internet Explorer security updates & disabling SSL 3.0 fallback (hat tip: member siljaline)
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    https://support.microsoft.com/kb/3009008 contains links to:
    Microsoft Fix it 51024 - Disable SSL 3.0 in Internet Explorer
    Microsoft Fix it 51025 - Restore the original settings of SSL 3.0 in Internet Explorer
     
  3. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    As the title is "Internet Explorer security discussion thread", can I ask IE security settings?
    How do other guys here set security on IE?
    My security zone settings is here (writing down them are quite the task considering I had to translate all of them to English, so I just attach part of HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\)
    Also,
    always launch with -private flag
    ActiveX Filter: on
    internet temp file: 8MB
    do not save history
    do not allow page cache
    do not allow physical location request
    do not disable toolbar and extension when InPrivate
    block 3rd parth cookie
    auto complete: only for history, favorite and suggesting URL
    disabled GPU rendering (to mitigate fingerprinting)
    disabled DOM storage
    disabled SSL 2.0, 3.0
    empty Temporary Internet Files when browser is closed
    do not save encrypted page
    disabled integrated Windows authentication
    disabled FTP folder view
    disabled inline autocomplete
    disabled automatic crash recovery
    Use some TPL including Easylist, EasyPrivacy and Malware domain
    disabled all unneeded plugin/addons including Office's ones, some others (flash, silverlight, WMP, DRM related etc.) are set to click-to-play.
     

    Attached Files:

  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From (0Day) Microsoft Internet Explorer display:run-in Use-After-Free Remote Code Execution Vulnerability:
    CVE-2014-8967 is not listed as being fixed at https://technet.microsoft.com/library/security/ms14-080.
     
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    IMHO, sure :).
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  7. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    883
    Location:
    Triassic
    Just in reference to the settings that you have shared here (your full list)... have you encountered any problems with those settings? I think it would be a lot easier to comment on certain settings if you only listed the ones that are not default settings. If you have changed something for a specific situation/purpose to enhance security it would make for a discussion.

    I'd like to see some more discussion on this topic especially with the rumors that are mulling around W10/Spartan being a MS departure from what IE is today. I assume that W7 will not get Spartan (more rumor), so IE11 may get parked in its current state. I will not jump to W10 mostly due to hardware constraints which leaves me with E11 on this laptop.

    I've tried messing with scripting to temporarily get rid of javascript:void on a specific website that had some bizarre javascript requirements. I've had no luck in getting these changes to scripting to work. Under scripting, I enabled 'active scripting' and 'allow programmatic clipboard access menu options'. It is now back to the default setting.
     
  8. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    There're a lot which I changed from default, some have clear reason others are just for potential attack surface reduction. But a point is make your internet zone as restrictive as you can still use it for daily browsing, while make trusted zone near to the default of internet zone (in my case, trusted zone is bit safer than default internet zone) and when you encounter problem and be sure that this domain is safe, add them to trusted zone.
     
  9. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Bypass Demonstrated for Microsoft Use-After-Free Mitigation in IE:
     
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  13. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  14. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    731
Loading...