Re: MS web designers -- "What Security Initiative?"

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: MS web designers -- "What Security Initiative?"
From: Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 15 Jun 2004 18:57:35 +1200
In-reply-to: <20040614130737.16053.qmail@xxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Personal account
Priority: normal
Reply-to: nick@xxxxxxxxxxxxxxxxxxx

Greg Kujawa <greg.kujawa@xxxxxxxxxxxxxxxxx> wrote:

<<snip>>
> Here's my question. Everyone please feel free to point out its validity
> as necessary. Why not add www.microsoft.com to your Trusted Sites list

You'd trust them after all that history?

Aside from the very shoddy security history (which shows little real 
indication of changing, no matter how many column inches the MS 
publicity steam-roller manages to drum up to the contrary), MS is a 
"big target" so microsoft.com is more likely to be targeted for attack.

> and allow this Internet Zone to have Active Scripting function as
> prompted? Are there cross-site exploits present that even make this a
> poor solution? This is the interim solution I have in place at my
> business locations.  ...

Given IE's history, I'd probably be more worried about _cross ZONE_ 
security flaws than cross site ones (not that the latter aren't 
potentially significant).  In fact, cross zone vulns are among the 
those MS is slowest to fix and most likely to be only partially fixed, 
with trivial exploit variants surfacing after the first patch.  Such 
attacks _are_ widely used, as many, many weeks of ms-its: protocol 
abuse by spammers and adware peddlers recently showed (of course, they 
continue with such abuse because there are tons of still-vulnerable 
because they have not patched users, but that's not you).

Because the security zone model is so fundamentally broken (arguably 
broken by design given its vulnerability history), I am quite reluctant 
to give any domain raised privileges by adding it to that zone (and, in 
my admittedly self-preservationally paranoid IE configuration, those 
"raised" privileges are not even equivalent to the way too liberal 
default "Internet zone" settings).

> ...  We have to use Internet Explorer for work-related
> application requirements.  ...

Utter rubbish!

Anyone who says "we have to use IE because..." is then simply mouthing 
some other vendor's security ignorance which boils down to either or 
both of:

   we [the other vendor] are lazy scumbags who can't be bothered to
   learn how to write our programs well

and:

   we [the other vendor] don't give a sh*t about our clients' system
   security because we are so arrogant as to require our clients to use
   products no-one with any security smarts would wish on their worst
   enemies

It's not quite exactly the same, but can anyone really see any 
fundamental practical difference between the situation:

   Supplier X requires us to run Security-bug_Ridden_Web_Browser Y (aka
   IE)

and the first "immutable security law":

   If a bad guy can persuade you to run his program on your computer
   it's not your computer anymore

???

To paraphrase the security law to match this specific situation:

   If a supplier can persuade you to run Security-bug_Ridden_Web_
   Browser Y on your computer, it's not your computer anymore

Now do you understand?

If a web browser is just a data neutral information display device 
(which is what it is supposed to be), it is no-one's business but your 
own which browser you choose to use for whatever reason[s].  If you 
have suppliers that do not understand that, get better suppliers -- in 
the long run you will be helping your current suppliers as well as 
yourself...

> ...  Otherwise I wouldn't switched to something
> like Mozilla. 

I presume you mean "would have"...

> In lieu of Microsoft patching the latest round of Secunia announced
> security holes I am disabling Active Scripting for all Internet Zones
> but the Trusted Sites Zone. If this isn't the best alternative what is
> if we *have* to use MSIE? 
> 
> Anyone??

Won't help you a scrap.  At least one of those vulns is a very nasty 
cross zone flaw, whereby the zone-checking part of IE (yet again) is 
trivially tricked into seeing a URI as belonging in a more trusted zone 
than the "effective URI" (i.e. the one that is actually acted on by the 
content parsers, script engines, ActiveX, etc) should be seen to be in. 
 Recipe for trouble, especially if you add microsoft.com to the TS zone 
as it's a good bet that the scumware vendors may well start trying to 
abuse this latest vuln by assuming that many folk are probably dim 
enough to entrust microsoft.com to the TS zone -- attempted exploits 
based on that assumption will outright fail on a huge proportion of 
potential victim machines, but likely work on enough to make attempting 
it worthwhile (like spam, such folk live quite well off _triflingly 
low_ hit rates).

Regards,

Nick FitzGerald

References:
- Re: MS web designers -- "What Security Initiative?"
  - From: Greg Kujawa

Prev by Date: [SECURITY] [DSA 519-1] New CVS packages fix several potential security problems
Next by Date: [ GLSA 200406-10 ] Gallery: Privilege escalation vulnerability
Previous by thread: Re: MS web designers -- "What Security Initiative?"
Next by thread: [FMADV] Subversion <= 1.04 Heap Overflow
Index(es):
- Date
- Thread