[JA] Re: Call for switch from IE

• From: thepccat@xxxxxxxx
• To: juno_accmail@xxxxxxxxxxxxx
• Date: Thu, 1 Jul 2004 22:03:42 -0700

The language here is typical Register UK [Microsoft is from hell, etc.].
I was unable to find a link or anything from CERT which said "use
anything but IE." They discuss various IE flaws which have not been
corrected, but what to do was not detailed. If you know otherwise, let me
know, plz.

The attacks are somewhat complex, at least to me, and I'm not quite sure
what is needed to be safe. Lets peruse this a bit.

In general, and for protection from  Juno 4 or 5 email [which by
necessity uses IE], one could set the Internet Zone to High [which would
be used to render HTML email], then when surfing if a given page did not
run properly, one could put that page to run on Trusted or Restricted
Zones [which, for this purpose could be set to two other values, such as
Low for such as Windows Update, and a custom version of Medium 
-----
suggestions for the custom settings are available at sites such as
 http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/20468/Windows
Security_20468.html
http://www.winnetmag.com/Article/ArticleID/20622/20622.html
http://www.winnetmag.com/Article/ArticleID/20700/20700.html
http://www.winnetmag.com/Article/ArticleID/21026/21026.html
http://www.winnetmag.com/Article/ArticleID/21199/21199.html
http://www.winnetmag.com/Article/ArticleID/21282/21282.html
[six part series from 2001 for Win 2000 which should be fine for XP and
for XWin 9X except for the XP specific stuff like Group Policy Objects]
or peruse
Forums » Up and Running » Security » IE Security Settings
http://www.dslreports.com/forum/remark,1333507~root=security,1~mode=flat
or
http://www.dslreports.com/forum/remark,1333507~mode=flat~days=9999~start=
20
or
http://www.dslreports.com/forum/remark,1333507~mode=flat~days=9999~start=
40
[suggestions and discussion from forum--note that different users have
different needs, so choose different settings]
or
http://www.tames.net/security/iesettings.htm
or
http://www.infinisource.com/techfiles/surf-safe.html
-------
With this arrangement, suggest using 
-----
Internet Explorer 5 Power Tweaks Web Accessory, but it works fine on
Internet Explorer 6.
http://download.microsoft.com/download/ie5/Utility/1/W9XNT4MeXP/EN-US/pwr
twks.exe 
[info at]
http://www.microsoft.com/windows/ie/previous/webaccess/pwrtwks.mspx 
Allows you to switch the page you are viewing from Internet to either
Trusted or Restricted zone with a right  click choice, if it fails to
render properly [and thereby risk an attack from the unpatched flaw in
JavaScript rendering in IE].
-----

Here is Microsoft's recommendation with IE: 
http://www.microsoft.com/security/incident/settings.mspx
Increase Your Browsing and E-Mail Safety--4 Steps to Help Ward Off
Hackers and Attackers
1. Set Internet Explorer security level to High
2. Add Web sites you consider safe to Trusted Sites
3. Use plain text to read the e-mail messages you receive
4. Block pop-up windows in your browser

It seems the noted flaws [in particular the one using JavaScript] do not
apply to Firefox browser, though it has a flaw or two itself. When you
run Firefox, you typically do not run ActiveX or Flash/Shockwave [require
plugins and the ActiveX plugin is strongly not recommended], but can run
JavaScript, or Java at your option.

Information on browser flaws from Secundia, a reputable security outfit,
for the two most commonly used browsers in Win:
http://secunia.com/product/11/
Secunia currently has 54 Secunia advisories affecting Microsoft Internet
Explorer 6. 42% of these are "extremely" or "highly" critical, whereas I
don't see any that critical in the few flaws listed for Firefox 0.x and
Mozilla 1.4-1.6 browsers.
http://secunia.com/product/3256/
Secunia currently has 3 Secunia advisories affecting Mozilla Firefox 0.x.

For any product, see from Secundia at http://secunia.com/product/#os_F
a complete list of software and operating systems in the Secunia
database. Our database currently includes 3564 pieces of software and
operating systems.
Click a product to view all current Secunia Advisories affecting it.

Finally, see
http://www.eetimes.com/sys/news/showArticle.jhtml?articleID=22103358
[running out of two sides of the mouth IMHO]
 July 01, 2004 (4:00 PM EDT)   COLORADO SPRINGS, Colo. The Department of
Homeland Security's U.S. Computer Emergency Readiness Team touched off a
storm this week when it recommended for security reasons using browsers
other than Microsoft Corp.'s Internet Explorer. 
[...]
Alternative browsers such as Mozilla or Netscape may not protect users,
the agency [CERT] warned, if those browsers invoke ActiveX control or
HTML rendering engines.

OK, I have convinced myself, that, for good safety, IE is much worse than
the most popular alternative browser Mozilla/Firefox :-). On the other
hand, you might more likely get food poisoning this summer than a
successful attack via IE, particularly if you keep up your antiviral and
spyware signatures. So enjoy the potato salad and the Internet surfing,
be it with IE or Firefox.

thepccat

On Wed, 30 Jun 2004 11:58:46 EDT bob.in.jersey@xxxxxxxx writes:
> 
> http://www.theregister.co.uk/2004/06/28/cert_ditch_explorer/
> 
> [quote]
> CERT recommends anything but IE
> By John Oates
> Published Monday 28th June 2004 11:50 GMT
[...]


To unsubscribe, send a message to ecartis@xxxxxxxxxxxxx with
"unsubscribe juno_accmail" in the body or subject.
OR visit //freelists.org
~*~

Other related posts:

• » [JA] Call for switch from IE
• » [JA] Re: Call for switch from IE

1. Home
2. juno_accmail
3. Archive
4. 07-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---