Glad to hear you're getting some sun. It's beautiful up there on the rare
sunny day. Getting in any time on your bike?
This last exploit was pretty spectacular: Unpatched (or under-patched) IIS
5.0 boxes missing MS04-011 and -014 are likely the problem, but it "appears"
(and we all know there's lots yet to figure out) that an unknown IE exploit
let the perpetrators get the trojan onto the client machines. Doesn't happen
with WinXPSP2RC2, apparently. I expect we'll see a Windows Update patch for
IE presently.
I agree it really would be nice to have an HTML browser that shows Hypertext
Markup Language and maybe JPGs, and skip the Flash, JavaScript, embedded,
animated whatevers. Mostly I want to read. Maybe we should go back to Lynx
<s>.
Mike Stewart wrote:
> West coast is sunny and hot...for a change. :-)
>
> I've had a hard time getting details on the exploit, even internally
> here (though I haven't looked *all* that hard). But from what I know,
> this is not XSS. XSS allows evil.com to run code in your browser when
> you do nothing more than surf to goodguy.com. In this case, the code
> is
> already sitting on goodguy.com's site, so no "cross-site" is going on.
> However, the author is correct in that, as far as I can tell, it's
> restricted to IE and the security context in which the code is run.
>
> However, it's not even that simple. It's a multi-pronged attack.
> IOW,
> exploit A can only happen if B, but B can only happen if C, which is
> only possible if D. Hey, what are the odds? Well, the odds caught up
> to us. Someone managed to string it all together so that D->C->B->A.
> It's a common security warning to never assume that just because A
> must
> occur that B will never happen (an oversimplification, but you get the
> point). Because sooner or later...
>
> Anyway, there was a good article on this that I just got around to
> reading on Security Focus:
> http://www.securityfocus.com/columnists/251.
> Pretty much the same thing I said (or maybe parroted :-) here, with
> some
> commentary. Company shill that I am, I have to admit he makes good
> points. I'd love nothing more than an IE with a checkbox that says
> "render text and pretty pictures only, and save the dancing bears for
> someone else".
>
> Mike Stewart
>
> -----Original Message-----
> From: profox-bounces /at/ leafe D.O.T com [mailto:profox-bounces@leafe.com] On
> Behalf Of Ted Roche
> Sent: Tuesday, June 29, 2004 2:10 PM
> To: profox /at/ leafe D.O.T com
> Subject: RE: [NF] Business Week: Internet Explorer Is Just Too Risky
>
> Hi, Mike! How's the west coast?
>
> I thought the cross-site scripting they were talking about in this
> exploit
> is occurring on frames and/or popups on the client side, not the
> server,
> and
> it's the IE engine improperly running code in the Local Machine vice
> Internet security context.. I'm no expert in XSS, but that's the way
> I've
> read the reports of this exploit.
>
[excessive quoting removed by server]
©2004 Ted Roche |
