“We’re on the home stretch for Windows XP SP2! I can’t begin to tell you what a relief it is to see it almost done.” says Michael Howard on his blog.   I agree.  In looking over the Secunia advisories for Internet Explorer… IE is getting pretty nasty these days …..


The following are unpatched:
Secunia – Advisories – Internet Explorer File Download Error Message
Denial of Service Weakness:
http://secunia.com/advisories/11868/

Secunia – Advisories – Internet Explorer Security Zone Bypass and
Address Bar Spoofing Vulnerability:
http://secunia.com/advisories/11830/

Secunia – Advisories – Internet Explorer Local Resource Access and
Cross-Zone Scripting Vulnerabilities:
http://secunia.com/advisories/11793/   <<< this is the Russian IIS one
that is currently being exploited>>

Secunia – Advisories – Microsoft Internet Explorer and Outlook URL
Obfuscation Issue:
http://secunia.com/advisories/11582/

Secunia – Advisories – Windows Explorer / Internet Explorer Long Share
Name Buffer Overflow:
http://secunia.com/advisories/11482/

Secunia – Advisories – Internet Explorer/Outlook Express Restricted Zone
Status Bar Spoofing:
http://secunia.com/advisories/11273/


…..you get the idea….. basically walk down the IE advisories and see which ones don’t point to a security bulletin…..but even then, I think I’m going to keep running in high security.  There’s no reason that web sites should do “stuff” without my permission.


Remember the 10 laws of security?  I’d say IE is letting rule number 2 to get broken.


































Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore
Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more Law #4: If you allow a bad guy to upload programs to your website, it’s not your website any more
Law #5: Weak passwords trump strong security Law #5: Weak passwords trump strong security
Law #6: A computer is only as secure as the administrator is trustworthy Law #6: A computer is only as secure as the administrator is trustworthy
Law #7: Encrypted data is only as secure as the decryption key Law #7: Encrypted data is only as secure as the decryption key
Law #8: An out of date virus scanner is only marginally better than no virus scanner at all Law #8: An out of date virus scanner is only marginally better than no virus scanner at all
Law #9: Absolute anonymity isn't practical, in real life or on the Web Law #9: Absolute anonymity isn’t practical, in real life or on the Web
Law #10: Technology is not a panacea Law #10: Technology is not a panacea


http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx

 

Comments are closed.