Topic awaiting preservation: IE even worse than we all thought (Page 1 of 1)

http://www.techweb.com/wire/57700191



Lucky we are all using FireFox



___________________
Emps

The Emperor dot org | Justice for Pat Richard | FAQs: Emperor | Site Reviews | Reception Room

if I went 'round saying I was an Emperor just because some moistened bint had lobbed a scimitar at me, they'd put me away!

What do you mean? Being able to invoke cmd.exe from a link is not that big a big deal.

Nope, I'm safe. Just checked out all the tests, and my IE 6.0 on Win2k Adv. Server passed with flying colors.

Unfortunately, I don't like Firefox. The plugins and modules are cool, but the CrazyBrowser tabbed browsing interface is much better.

At school we have to use IE and can't download Firefox (because it's an .exe file and could be a virus or something). It passed the test though.
At least I use Firefox at home...

@silence: If you like the crazy browser. Check out maxthon at maxthon.com

AlterEgo, if you got a flash-disk you can copy FireFox from your hdd (at your home) to that usb-flash-disk and then run FireFox from it, wherever you are.

AFAIK it works w/o installation.

--
Regards,
Elias

^ That's an idea, might try that.

Go FF! GO!

GO IE! GO ... to hell!

When I read this thread name I thought "impossible." But impossible is nothing to the staff at microsoft

These stupid "vulnerabilities" are so easy to fix that it's amazing people do not do this more often.

Here's how you "safe surf" in IE. (IE5/6 on Windows 2000 at least - modify the below instructions for your OS)

((Note: This will also stop ALL pop-ups, "animated gif" ads, and those damnable, accursed flash ads. In TWO YEARS of using this technique, I have NEVER had any spyware, popups, or browser-hijackings.))



Open an IE explorer window. Goto internet options->advanced. Disable EVERY STINKING THING YOU CAN FIND regarding scripting (vbscript and javascript) and especially anything to do with ActiveX. Not "Ask" or "Prompt" but "DISABLED."

Then open RegEdit and go to the following address:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]

(make sure you use the zone for "Internet" if yours is not "3")

EXPORT THIS KEY to a file called "ShieldsUP.REG" (or whatever you want to call it) and put it on your desktop.

Then go back to InternetOptions and go to SECURITY. RESET your security options back to "Medium" (or whatever you usually surf at). Export the above RegKey again to another file called "ShieldsDown.reg" (or whatever you want to call it).


Then, for safe surfing just double click on "ShieldsUP.REG" When you are going to known safe places that don't work properly without scripting, then double-click on "ShieldsDown.Reg".


Here's how the files look in WIndows 2000 Server (probably all Win2K versions):




ShieldsUP.REG:
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
@=""
"DisplayName"="Internet"
"Description"="This zone contains all Web sites you haven't placed in other zones"
"Icon"="inetcpl.cpl#001313"
"CurrentLevel"=dword:00000000
"MinLevel"=dword:00011000
"RecommendedLevel"=dword:00011000
"Flags"=dword:00000001
"1001"=dword:00000003
"1004"=dword:00000003
"1200"=dword:00000003
"1201"=dword:00000003
"1400"=dword:00000003
"1402"=dword:00000003
"1405"=dword:00000003
"1406"=dword:00000003
"1407"=dword:00000003
"1601"=dword:00000001
"1604"=dword:00000000
"1605"=dword:00000000
"1606"=dword:00000000
"1607"=dword:00000000
"1800"=dword:00000003
"1802"=dword:00000000
"1803"=dword:00000000
"1804"=dword:00000003
"1805"=dword:00000001
"1A00"=dword:00020000
"1A02"=dword:00000000
"1A03"=dword:00000000
"1C00"=hex:00,00,00,00
"1E05"=dword:00010000
"{7839DA25-F5FE-11D0-883B-0080C726DCBB}"=hex:30,82,01,51,03,02,00,00,30,82,01,\
49,30,22,06,0a,2b,06,01,04,01,82,37,0f,03,01,30,14,06,09,2b,06,01,04,01,82,\
37,0f,01,31,07,30,05,03,01,00,30,00,30,81,fe,06,0a,2b,06,01,04,01,82,37,0f,\
03,02,30,81,ef,06,09,2b,06,01,04,01,82,37,0f,01,31,81,e1,30,81,de,03,01,00,\
30,81,d8,a0,20,30,1e,06,09,2b,06,01,04,01,82,37,04,04,30,11,01,01,00,30,08,\
14,06,61,70,70,6c,65,74,30,00,30,00,a0,17,30,15,06,09,2b,06,01,04,01,82,37,\
04,07,30,08,03,02,00,01,03,02,00,02,a0,11,30,0f,06,09,2b,06,01,04,01,82,37,\
04,0c,03,02,00,02,a0,21,30,1f,06,09,2b,06,01,04,01,82,37,04,01,30,12,01,01,\
ff,01,01,00,01,01,00,01,01,00,01,01,00,01,01,00,a0,17,30,15,06,09,2b,06,01,\
04,01,82,37,04,02,30,08,01,01,00,01,01,ff,30,00,a0,1a,30,18,06,09,2b,06,01,\
04,01,82,37,04,03,30,0b,01,01,00,01,01,00,02,01,00,14,00,a0,11,30,0f,06,09,\
2b,06,01,04,01,82,37,04,0e,03,02,00,03,a0,1d,30,1b,06,09,2b,06,01,04,01,82,\
37,04,0f,30,0e,30,08,02,01,00,02,03,10,00,00,03,02,00,00,30,22,06,0a,2b,06,\
01,04,01,82,37,0f,03,03,30,14,06,09,2b,06,01,04,01,82,37,0f,01,31,07,30,05,\
03,01,00,30,00





ShieldsDOWN.reg:
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
@=""
"DisplayName"="Internet"
"Description"="This zone contains all Web sites you haven't placed in other zones"
"Icon"="inetcpl.cpl#001313"
"CurrentLevel"=dword:00000000
"MinLevel"=dword:00011000
"RecommendedLevel"=dword:00011000
"Flags"=dword:00000001
"1001"=dword:00000003
"1004"=dword:00000003
"1200"=dword:00000003
"1201"=dword:00000003
"1400"=dword:00000003
"1402"=dword:00000003
"1405"=dword:00000003
"1406"=dword:00000003
"1407"=dword:00000003
"1601"=dword:00000001
"1604"=dword:00000000
"1605"=dword:00000000
"1606"=dword:00000000
"1607"=dword:00000000
"1800"=dword:00000003
"1802"=dword:00000000
"1803"=dword:00000000
"1804"=dword:00000003
"1805"=dword:00000001
"1A00"=dword:00020000
"1A02"=dword:00000000
"1A03"=dword:00000000
"1C00"=hex:00,00,00,00
"1E05"=dword:00010000
"{7839DA25-F5FE-11D0-883B-0080C726DCBB}"=hex:30,82,01,51,03,02,00,00,30,82,01,\
49,30,22,06,0a,2b,06,01,04,01,82,37,0f,03,01,30,14,06,09,2b,06,01,04,01,82,\
37,0f,01,31,07,30,05,03,01,00,30,00,30,81,fe,06,0a,2b,06,01,04,01,82,37,0f,\
03,02,30,81,ef,06,09,2b,06,01,04,01,82,37,0f,01,31,81,e1,30,81,de,03,01,00,\
30,81,d8,a0,20,30,1e,06,09,2b,06,01,04,01,82,37,04,04,30,11,01,01,00,30,08,\
14,06,61,70,70,6c,65,74,30,00,30,00,a0,17,30,15,06,09,2b,06,01,04,01,82,37,\
04,07,30,08,03,02,00,01,03,02,00,02,a0,11,30,0f,06,09,2b,06,01,04,01,82,37,\
04,0c,03,02,00,02,a0,21,30,1f,06,09,2b,06,01,04,01,82,37,04,01,30,12,01,01,\
ff,01,01,00,01,01,00,01,01,00,01,01,00,01,01,00,a0,17,30,15,06,09,2b,06,01,\
04,01,82,37,04,02,30,08,01,01,00,01,01,ff,30,00,a0,1a,30,18,06,09,2b,06,01,\
04,01,82,37,04,03,30,0b,01,01,00,01,01,00,02,01,00,14,00,a0,11,30,0f,06,09,\
2b,06,01,04,01,82,37,04,0e,03,02,00,03,a0,1d,30,1b,06,09,2b,06,01,04,01,82,\
37,04,0f,30,0e,30,08,02,01,00,02,03,10,00,00,03,02,00,00,30,22,06,0a,2b,06,\
01,04,01,82,37,0f,03,03,30,14,06,09,2b,06,01,04,01,82,37,0f,01,31,07,30,05,\
03,01,00,30,00


click-click: shields up! And you are quite safe!!! Every last stinking one of these "vulnerabilities" depend on client-side scripting to accomplish their nefarious purposes.

NOTE THIS: Setting yoru Internet Zone Security even to HIGH (the highest level) will not protect you from these vulnerabilities because even the highest internet zone security settings do not disable scripting and ActiveX scripting.


BTW - This is also why I've made quite a name for myself among my clients by developing web applications that require absolutely NO, NONE, ZILCH, NADA client-side script. And they are not "ugly" either! It's impressive to demo a site to a customer and tell them, "It will look and behave EXACTLY like this even in the highest security environment, and even on browsers that do not support scripting at all!

(Edited by KirbyWallace on 01-14-2005 07:00)

Yes... or... we could simply send a message to Mircosoft that we will not put up with their crappy, bug-ridden code, and we will not research to find ways to fix *their* problems. How do we do this? We do not use IE. We use Firefox, Mozilla, Opera, anything but IE. There are sites around the collect stats on who's surfing with what browser, and Microsoft pays attention to these. They'd be crazy not to.


Justice 4 Pat Richard

^ Damn straight.

ANYTIME one has to go into the Registry to "fix" something is NOT a good fix! Most people should NOT be messing around in their Regestry! It's bad enough that they have a computer!

A fix that requires people to go into the Regestry is just begging for trouble. A wrong click here, wrong delete there, wrong button press over here..."You now have the dubious privelige of installing your OS again. Thank you for using M$ products."

Ramasax - I think that you are missing the point. The test example opens cmd.exe to run another program - in this case, iexplore.exe. If it is possible to execute any code that exists on your machine, I very much doubt that your machine can be considered 'secure'.

That is pretty much a big deal.


This is old news though (I'm sure this issue has been posted here before), and I use FF anyway, so na-na-nana-naaaa. :P

==I don't believe it! Somebody stole my sig!!==

White Hawk: I think you missed the irony, enbodied by the wink slimy, in Ramasax's post.

Microsoft: Innovating crap to new levels!

"Any sufficiently advanced technology is indistinguishable from magic." -- Arthur C. Clarke
"Any sufficiently arcane magic is indistinguishable from technology." -- P. David Lebling

<===*spots the wink*

Oh yeah. *doh!*

Rack up another convert to Firefox. The latest ????u/grade for Windows resulted in a seemingly endless loop for my cpu using IE - no viri or Trojans, don't even have to be online . Bah Humbug and begone IE

quote:

---

KirbyWallace said:

These stupid "vulnerabilities" are so easy to fix that it's amazing people do not do this more often.

---

If that's what you call "easy"...

I find it much easier to simply install and use a browser that does not require that I alter my registry and disable any scripting in order for me to use it, and I find the idea of going to that trouble to make IE "safe" simply ridiculous and can't fathom why anyone would bother with such viable alternatives out there (Firefox, mozilla, opera, etc)

FF has come a long way in a year, for example, much more than IE has in 3-4 years. To be honest, even disregarding the majority of things that make IE a bad choice, i REALLY don't understand why someone over at MS still clings to the idea that users don't really want and/or use tabs. It's only an example. I could make a bet that they'll ship some IE 7 along with Longhorn where they'll try to re-invent the idea of tab, or use something different that they'll call something else, cos it's been too much since they refused to adopt tabs, god knows why, maybe just cos they weren't the ones to implement them first.
Anyway, I still use IE but only for cross chacking. I know people who preffer using IE and windows without any SP installed and then spending one day cleaning they system of spyware and viruses. So... IE will still be used untill MS has a big portion of the market to ship it to.


Curiously yours, crip

(for the record, though I am an avid FF user, I hate tabs and never use them!)

Your choice. But statistically you have to admit that people that use Opera or FF use them. And it was only used as an example. There are others maybe.


Curiously yours, crip

(Edited by crip on 01-17-2005 02:04)

quote:

---

you have to admit

---

don't know, don't care - simply stating my preference, as the tabs seem to be a point of contention somehow...

=)

DL-44: Aren't you glad you have the choice though?
And if you start using them I really doubt you'd look back. Though its hardly the selling point of FF its the most notable/visible feature and certaintly for me, I find them the best thing since angry sliced bread I used to always end up with so many IE windows on my taskbar I couldnt read the text, also if I have one window for the Asylum and open any links in new tabs , I know everything in that window came from the asylum. Its kind of like using windows as sets of web page categories !??

I use Mozilla by the way, FF seems to have a problem with acrobat reader now and again. .. I think its just with some version of AdobeAcrobat but check your process list after viewing a pdf in your browser .. at home, in work now and my old work this happened. When you leave the pdf page, acrobat doesnt close properly and stays in memory. Oh and I dont like skinable things for some reason, like XP. Seems like a waste of cycles or something.

KirbyWallace: Thanks for the reg code, even though I agree that fixing MS' problem isnt a fix at all it'll keep the spyware away for a while, you can barely open IE without getting something.

I have to admit, I had NO idea what tabs were, until FF came along and someone mentioned them. After a bit of getting used to them, I can honestly say I don't know how I got along without them before!

They make cross-referencing points and copy and paste a breeze, without having to dig up lots of windows to see which one contained the info I wanted - or the one that I wanted to transfer the info to. And I can minimize them all in one instant. And becasue I tend to surf a number of sites, it is nice to switch between them effortlessly, and to refresh one, and go to another while waiting for the new info to appear.

And I love having a tailorable menu. Oh, and the update feature of FF for the extensions is really good, and I love the ease of turning off/on SW install/graphic/java stuff, etc.

Well guys, if you installed the Microsoft Anti-spyware software, it looks like you won't have to put up with any IE vunerabilities any longer!

I had to change my underwear TWICE when I read this!

Enjoy!

If I didnt use IE to test webpages and view IE onlys, Id definatly get that update. Good stuff I guess, it means that spyware software is fairly smart.

That is the funniest damn thing I ever heard! And I want that Anti-Spyware!

"Go and kill! Kill!! Kill IE!!!!"