Is IE Being Exploited

Discussion in 'other software & services' started by SnowGuy, May 25, 2004.

Thread Status:
Not open for further replies.
  1. SnowGuy

    SnowGuy Guest

    I've been testing test for several days always with the very same results.

    Those using internet explorer may have their "zone" setting set to:

    "PROMPT before submitting non-encrypted form date"


    Well, I have repeatedly noticed that in my case those setting mentioned above is being changed........an no doubt its being done by websites exploiting internet explorer..............
    If internet explorer is set to "Prompt before summitting non-non-encrypted form data".......a small window will appear giving the computer user a notice and a choice....to submit the data or not to...........
    normally its one of those "set and forget" things.......it should not constantly need to be re-set........but .....very big but........now I have noticed that when going to several websites that "notice" when it appears is "CHECKED"....not to give the warning again.......an if the computer user feels its a "safe" website....or at least wants to enter.......an the user oks submitting the data...........then the setting in internet explorer is changed......in my case that setting is then NOT CHECKED AT ALL........an if so no warning is given to the user afterwards of any "NON-ENCRYPTED FORM DATA BEING SUBMITTED".

    I have tested this using internet explorern 5.01 and 5.5.....both fully patched...........an it only happens at SOME websites..........fe: I just went to do a port scan at a certain site.......an sure enough the above mentioned action took place........
    anyone caring to follow-up on testing this please do.....I will be shutting down and leaving the internet in a day or so an can't test further.....
     
  2. SnowGuy

    SnowGuy Guest

    First...my apology.....these days my health is not the best so I have less energy to follow through on testing......



    While I am un-sure if there is any relationship to the subject topic.....another thing I noticed in the registry is several websites showing up in "Domains"..........not "zones"..........sites such as <yahoo> I have no accounts at <yahoo> have never logged in at that site....in short..I may drop in there briefly but thats about it......yet its showing in the registry in DOMAINS......alone with several websites I may have merely passed through.........oddly <yahoo> as I best can recall never caused any noticed to appear regarding submitting form data.............
    maybe this is nothing.......but at least I posted the info in case someone cares to do further testing......I just am not able to.
     
  3. SnowGuy

    SnowGuy Guest

    Well.....isn't this nice........that website that I mentioned above where I went to do the port scan.....an had internet explorer settings changed.......well, I placed it in the restricted zone..went back.....an the exploit DID NOT OCCUR............is it placing the site in the restricted zone that prevents the exploit.....hmmmmmmm......somehow I just can't buy that.

    folks watch your settings.......if a warning box ever appears that has a "check" in it that will turn off your setting...leave the website.....no matter who..what..where.........your setting should never be forcefully changed to enter a website or for any other reasons........
    in just a moment I will be adding a third party "lock" to internet explorer that prevents changes......
    as for the domain issue...we'll see.....

    by the way....its normal for the setting to be changed once the User gives the ok........the exploit is the website somehow forcing the warning to appear ALREADY CHECKED.......careful here....cause it appears like its normal ......its not
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,278
    Location:
    New England
    Hi snowy,

    Hmm, lots here to ask or comment about... First, I can't confirm seeing the same thing as you because first, I'm on XP using IE6, so my circumstances will be very different, I'm sure. Second, I whole heartedly agree with the dangers of the "Always..." check boxes on Microsoft alert messages - not just the one you mention in IE, but many others... even the one that you get when you open a file with a different extension (such as: Mikes-file.xyz) - and it prechecks the "always use this program to open .xyz files". Lot's of issues on that. :doubt:

    But, one thing I do have a question on is digging deeper into the Domains versus zone thing. Can you take a look at a few of the sites listed in Domains and see the values defined? I'm wondering if somehow these sites that are reacting differently aren't in perhaps a different zone (trusted, local intranet, my computer, etc.) - the values under the site name in the Domains key would tell.

    Is this the Domains key you are talking about, by the way?

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

    Do you use IE-SpyAd or the new SpywareBlaster (v3.X) which has restricted site capabilities in it?
     
  5. SnowGuy

    SnowGuy Guest

    LWM

    Heyya Buddy....thanks for repling......in answer to your question...yes and no.......no kidding........the Domains key you list..plus/as well as:

    hkey_local_machine/software/microsoft/internet domains

    *in this one..right now..only <hotmail.com> is listed*

    since thats local machine..its inside.....<hotmail> I can understand....not <yahoo...or yahoo finance> which were also there.....as well as in the key you listed..........there were two other sites listed.......I deleted their folders yesterday.....as yet nothing has shown back up......the <hotmail> folder I left alone. I have a feeling that I will never find out how those websites got listed in that KEY.....have never heard of anything like this ever happening before......am sure there is an explanation I must be over looking.

    Also, I use the agnis list......plus the sponge list in the firewall (now removed)...with the sponge list was my own rules set.......am now using just my own rules set.....but still using agnis list vie way of another program......got spywareblaster but not using its restricted zone list....

    The "check" issue......what can I say....you cover that well......once those settings have been changed....if the User does not change the settings back.....that could be a real problem.....an the public best begin to show alittle WILLPOWER an stay away from websites employing this issue.....
     
  6. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    just out of curiosity i went to see what my setting was (for IE-6) in the internet zone and I am set to enable.

    I have to ask is this really a liability for non-encrypted form data? IE wears me down with its prompt me settings, and I have to believe there is a threat for me to go through "prompting hell".

    My personal view is with IE one has to choose one's battles. Unfortunately, it is hard for most of us to know which battles are the important ones. I ran from this battle...

    Also another semi-related comment. Is IE referring to M$'s incessant demand to autocomplete stuff? I hate that, but have given up fighting it as well. Instead I simply supply so much bogus information during installations, and what not that now I am receiving snail mail spam targetted to my fictious company, and autocomplete on my computer seems to get filled in for a gentleman referred to as "Redmond Redneck". A little off topic, but though you might appreciate that. It's a small victory, but after all, they are fighting an unarmed man!

    -HandsOff
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.