Microsoft denies spoofing is security flaw

Discussion in 'other security issues & news' started by ronjor, Nov 2, 2004.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,727
    Location:
    Texas
    ZDNet
     
  2. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    They are right of course. The software is okay. Using ActiveX is okay (it's designed to enhance functionality). BHO's are okay, they are there to add functions. Active Scripting is okay too and signing code does enhance the security feeling, really it does. Embedding Internet Explorer in Windows is a great idea, it makes a comfortable working environment. And since the system is fully trusted, the default use of an admin account simplifies the computer use and adds to the comfort of end users.

    There's just one design flaw in Windows. It needs a user to perform all kinds of tasks. And users are full of bugs.
     
  3. still_longhorn

    still_longhorn Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    256
    Microsoft can deny anything till doomsday but Microsoft Internet Explorer contains a security-setting feature that can be modified according to a user's preferences. These settings control what actions a web site can take on a user's system.
    A vulnerability exists in Internet Explorer, which could allow a web site to be viewed in the Local Intranet Zone, rather than the Internet Zone. Thus, allowing content to be viewed with less-restrictive security settings.
    Converting the IP address of the target web site into a dotless IP address, and submitting it, will cause Internet Explorer to view the web site in the Local Intranet zone.
     
  4. still_longhorn

    still_longhorn Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    256
    Its even worse for IE6 WIN98 users where IE's default security settings allow a malicious webpage to open a new browser, open another site's main frame in that new browser and then set any subframes to a URL of their choosing. This could lead to misappropriation of private information, among other problems.

    Example:

    <SCRIPT>
    b=window.open("http://www.citybank.com");
    function g()
    {
    b.frames[2].location="http://www.yahoo.com";
    }
    setTimeout("g()",6000);
    </SCRIPT>
    The demonstration is available at:
    http://www.nat.bg/~joro/msfrspoof.html

    To work around this exploit: Disable "Navigate sub-frames across different domains" option (Under 'Miscellaneous' in setting list for 'Custom Level' creation.)
     
  5. steverio

    steverio Registered Member

    Joined:
    Jun 25, 2004
    Posts:
    161
    Linux is looking better these days. :)
     
  6. still_longhorn

    still_longhorn Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    256
    Actually, Linux is not too far behind interms of vulnerabilities. However, due to the lesser number of users, they are not as publicized. If Linux becomes the big guy on the block, expect even more vulnerabilities...
     
Loading...
Thread Status:
Not open for further replies.