[35296] in bugtraq
Re: MS web designers -- "What Security Initiative?"
daemon@ATHENA.MIT.EDU (Greg Kujawa)
Tue Jun 15 01:42:46 2004
Date: 14 Jun 2004 13:07:37 -0000
Message-ID: <20040614130737.16053.qmail@www.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Greg Kujawa <greg.kujawa@diamondcellar.com>
To: bugtraq@securityfocus.com
In-Reply-To: <40CB8263.18297.7605685C@localhost>
I have to applaud your specific examples of where Microsoft's aims have been redirected (pun intended) and have become woefully presumptuous. Having worked in web hosting and website development in past lives I would agree that correcting the weblinks would be a truer solution than just performing all of the sneaky redirects that require scripting to be enabled.
Here's my question. Everyone please feel free to point out its validity as necessary. Why not add www.microsoft.com to your Trusted Sites list and allow this Internet Zone to have Active Scripting function as prompted? Are there cross-site exploits present that even make this a poor solution? This is the interim solution I have in place at my business locations. We have to use Internet Explorer for work-related application requirements. Otherwise I wouldn't switched to something like Mozilla.
In lieu of Microsoft patching the latest round of Secunia announced security holes I am disabling Active Scripting for all Internet Zones but the Trusted Sites Zone. If this isn't the best alternative what is if we *have* to use MSIE?
Anyone??
