Sarick
It's Only Logical
Premium
join:2003-06-03
USA
 ·FrontierNet Intern..
|  An IE Browser is EVEN exploitible on DSL Reports
I Ask about DSLreports and the possibility of a security risk from clicking on URL links.
»DSLreports Clicking a link in forums?
Turns out a lot of people didn't even know it existed..
[text was edited by author 2003-07-26 13:37:00] |
|
nil
Java Geek
join:2000-11-27
Host:
Webmasters and Dev..
Forum Feature Requ..
| Re: An IE Browser is EVEN exploitible on DSL Repor
Well.. it really doesn't..
As I explained in that thread.. dslr security is based on more than just the cookie so ability to execute arbitrary javascript isn't exactly a huge security hole.
--
Life is too short to be boring
[text was edited by author 2003-07-26 13:39:47] |
|
nightdesigns
Gone missing, back soon
Premium
join:2002-05-31
AZ
 ·Cox HSI
| Am i safe, probably not.
Let's see, i'm firewalled, antivirus (updated and scanned weekly) adsubtract, spamcop, and run adaware every now and then, and netscape, i NEVER use IE. Am i safe from a hit, probably not. I just consider these tools of the trade of the internet world these days. They're mostly there to help me retain my sanity. |
|
metalfury
@swbell.ne
| CHOOSE YOUR WEAPONS!!
* Opera »www.opera.com - screamin' fast HTML rendering!! Pop-up blocker, tabbed browsing, mouse gestures (do stuff just by moving the mouse and holding Ctrl or left button, whatever), keyboard browsing (no mouse, no prob). It does have rather annoying bugs, though. Printing correctly from Opera is an exercise in tweaking. Some username/password sites won't work at all (»sbc.yahoo.com comes to mind). To learn more, go to usenet group opera.general (NOT rec.opera, unless Bizet's Carmen is your cup of tea).
* SlimBrowser »www.flashpeak.com - for pages that only render correctly in IE. It's all I use at work, since our intranet sites were all built using Front Page. Same features as Opera, but only as fast as IE. Oh yeah, it has Groups, where you click on a group in the list (like a bookmark, to open a set of browser tabs. Geez, if only I could convince Operations to include this baby in the ghost image...
I've tried many other IE-based browsers suchs as CrazyBrowser, iTrix, Avant Browser (nice, but no go on NT4, shit!), MyIE2, but this is by far the best.
* Avast! »www.avast.com - anti-virus, with regular updates, just like Norton, but FREE. Note: the software will ask you to register, and you have 60 days to evaluate the product, blah, blah, blah... but registration is free. Concerned about privacy? Fake all the info except your e-mail, since that's where you'll get the reg code. They accept free web mail too.
* Ad-aware 6 »www.lavasoft.com - no comments required. The stick by which all pop-up blockers are measured.
* SpywareBlaster »www.wilderssecurity.net/spywareblaster.html - just found this out yesterday, and it's AWESOME. The software disables certain ActiveX controls that spyware software commonly use to install themselves. Kiss shit like Xupiter godbye. It also has a "system restore" kind of thing, so if anything ever falls through the cracks, you can always restore your settings. Last but not least, it has a Flash blocker (since 99% of Flash movies are ads or useless crap), which disabling and enabling is far simpler than uninstalling the Flash plug-in. They say their spyware database is constantly being updated, but only time will tell. The last update was dated 7/18.
I think I'm well prepared. If you have a better solution, let the discussion begin!! |
|
cugino
join:2000-11-27
Brooklyn, NY
| An ounce of vigilance & a pound of paranoia
As unpalatable as it is, and as unjust as it may seem to those who genuinely value privacy and security, it takes a great deal of vigilance to ensure your own privacy & security online.
No, I don't begrudge M$ for some of the glaring holes that exist in IE. Ultimately, it's up to each user to manage his/her own security online, just as it's your responsibility to lock your own doors at night. Fortunately, there are plenty of great tools out there to give us some leverage against of the hordes of scumb@gs, script kiddies, and corporate voyeurs who wish to violate us at every turn.
As long as I have a good firewall, virus scanner, Trojan scanner, ad-ware scanner, the ability to disable scripting & cookies in my browser, and an awareness of all the dangers that are potentially out there, I'll take my chances.
Do the aforementioned make me immune to every danger? Of course not, but they do allow me to have at least a modicum of control over my own security, which is all anyone can ask.
--
"90% of the game is half mental" ..Yogi Berra
[text was edited by author 2003-07-26 14:03:19] |
|
Sarick
It's Only Logical
Premium
join:2003-06-03
USA
·FrontierNet Intern..
| reply to nil
Re: An IE Browser is EVEN exploitible on DSL Repor
said by nil  :
Well.. it really doesn't..
As I explained in that thread.. dslr security is based on more than just the cookie so ability to execute arbitrary javascript isn't exactly a huge security hole.
No recheck the topic. A lot of new stuff got added. |
|
nil
Java Geek
join:2000-11-27 | reply to metalfury
Re: CHOOSE YOUR WEAPONS!!
Opera is pretty strict about html and javascript.. I found the sites that don't work well in it are the ones not adhering to standards.
--
Life is too short to be boring |
|
nil
Java Geek
join:2000-11-27
Host:
Webmasters and Dev..
Forum Feature Requ..
| reply to Sarick
Re: An IE Browser is EVEN exploitible on DSL Repor
JavaScript is client side.. hence all the various little tricks you can do with it only work for the person viewing the site.. so yes.. someone could insert an iframe that will display contents of /prof.. but guess whose you will view? Your own.. and you can't view someone elses..
--
Life is too short to be boring |
|
Kambriel
join:2001-02-10
Sanford, FL
·RoadRunner Cable
| reply to metalfury
Re: CHOOSE YOUR WEAPONS!!
You are recommending AdAware? About six months ago, AdAware used to be the stick that others were measured by until a few watchdogs discovered that AdAware removed some sites from their list after receiving funding from these adware/spyware companies and allegedly still do so. Many former AdAware fans have moved on to Spybot Search & Destroy. Personally, I haven't looked back since Spybot found about eight items that AdAware left behind and this was before I even updated my Spybot defs to the then current version.
And so far, no one has mentioned a well stocked hosts file. I can't live without mine. It may not block pop-up windows, but it sure blocks the content.
[text was edited by author 2003-07-26 14:27:48] |
|
livininarizona
Premium
join:2001-08-05
Merced, CA
clubs:  
| Most people...
are just paranoid, and over-reacting to the effect of "Internet Security" besides submitting REAL personal information (which I hardly ever really have to do) there's nothing the average home user really needs to worry about. Yeah, basic antivirus is good, but multiple firewalls, paying for a proxy server, running through a router just for 1 computer...it's overkill, and a waste of time. Worst case scenario, you have to format your HDD. Get the google toolbar for IE and there's your pop-up blocker. Don't run suspicious Active X controls from a porn site, don't download "webcam viewers", don't download attachments from email you don't know who they are, don't turn automatic DDC sends on IRC..all this should be self-explanatory.
--
_____________________________It's Simple: »technologytalk.tk |
|
nil
Java Geek
join:2000-11-27
Host:
Webmasters and Dev..
Forum Feature Requ..
| Actually.. no.. worst case scenario your computer is hijacked and used to spam or direct ddos attacks.. Think it can't happen? It does all the time..
Having an internet connection and no firewall (especially with windows) is like begging to be hacked.. and contrary to popular belief most hackers are not out to get your information.. they just want to use your bandwidth.. and cover up their tracks by hopping from hacked machine to hacked machine.
--
Life is too short to be boring |
|
Techie2000
In Vertigo
Premium
join:2001-12-05
clubs: | reply to nil
Re: CHOOSE YOUR WEAPONS!!
Yeah. I like Opera, although the latest 7.20 Beta 1 is a bit unstable and renders the forums kinda funky... |
|
livininarizona
Premium
join:2001-08-05
Merced, CA
clubs:
|  reply to livininarizona
Re: Most people...
I guess I'm a very rare exception to the rule, as I have had an open connection to my computer for awhile now, I even run Apache/MySQL on my personal connection with NO firewalls (just antivirus) I know for a fact that I'M the only one using my bandwidth, I monitor that kind stuff with bandwidth monitoring tools. I EVEN have a NON-WEPed wireless network, and even that hasn't been breached. I guess I'm just a guy that likes to live "on the edge" but so far for about 2 1/2 years with broadband, no consequence.
--
_____________________________It's Simple: »technologytalk.tk |
|
Sarick
It's Only Logical
Premium
join:2003-06-03
USA
·FrontierNet Intern..
|  reply to nil
Re: An IE Browser is EVEN exploitible on DSL Repor
I would love to see both parties that debute over this some more. 
One person says it's exploitible the other says it's not.
My problem is I can't argue with anyone I don't program Java Script.
A couple of people tend to think it's still open for debate.
I do miss your insite. After all it's my understanding that your head of this sites web design or have a lot of say on it's design and or performance. 
Like I said before I try to lock down my system as much as possible. Having an exploit install something is rare but I don't want to deal with to much paranoid issues that could cause brain damage.
Most of the exploits IE has are because it's so inter twind with the OS. I bet there are still many hacks not found in the wild in IE. |
|
nil
Java Geek
join:2000-11-27 | Okay, sure, why not.. There's one way to about it.. See my new post in the other thread.
--
Life is too short to be boring |
|
untroubled1
Redneck Dawg
Premium
join:2001-12-21
Omaha, NE
| reply to livininarizona
Re: Most people...
said by livininarizona :
I guess I'm a very rare exception to the rule, as I have had an open connection to my computer for awhile now, I even run Apache/MySQL on my personal connection with NO firewalls (just antivirus) I know for a fact that I'M the only one using my bandwidth, I monitor that kind stuff with bandwidth monitoring tools. I EVEN have a NON-WEPed wireless network, and even that hasn't been breached. I guess I'm just a guy that likes to live "on the edge" but so far for about 2 1/2 years with broadband, no consequence.
At least you have guts. I wouldn't have advertized that info.
--
Using Cox Business Services (Rock "N" Roll) |
|
bear73
Metnav... Fly The Unfriendly Skies
Premium
join:2001-06-09
Grand Forks Afb, ND
·Midcontinent Commu..
| reply to nightdesigns
Re: Am i safe, probably not.
if you want to strip out IE from your system, take a look at IEradicator here. The folks there originally built their tools (avail. free) to remove IE from Win9x. I have used it quite a bit on W98SE. It has helped with stability on my wife's machine.
--
If ya gotta go, Go with a SMILE! |
|
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
| reply to nil
Re: An IE Browser is EVEN exploitible on DSL Repor
I'm VERY busy this weekend, and as I noted in the thread, I've not used Javascript for much other than form validation and simply redirection of the browser... but when I get time, I'll work on a 'proof of concept' post in the forum you linked, NIL.
And btw, thank you for taking time out for this.. I, too, am very interested in the outcome since I run my own custom forum system myself; I thought I had taken care of a lot of malicious possible uses before... but we'll see
Perhaps someone will get to a 'proof of concept' before I do.. we'll just see. |
|
mrchris
We don't miss you Bush
Premium
join:2002-10-01
North Babylon, NY
 ·Verizon FIOS
·Optimum Online
| I'm safe
I have 1) Fully patched IE and Windows XP, 2) Norton Internet Security 2k3 w/ latest updates, 3) Spybot S&D w/ latest definitions (bad products blocked too) and 4) Spyware guard with download protection, browser hijack protection and general product blocking with it.
Basically I have a quadruple sheild in place, all behind NAV 2003 |
|
hhawkman
Premium
join:2001-02-08
Port Hueneme, CA
·RoadRunner Cable
| reply to Kambriel
Re: CHOOSE YOUR WEAPONS!!
said by Kambriel :
And so far, no one has mentioned a well stocked hosts file. I can't live without mine. It may not block pop-up windows, but it sure blocks the content.
That is a damn good tool, but by no means the answer. Taking things like doubleclick for example, they add or change server names on almost a daily basis. to keep them all in check is almost a 24 hr/day job. By the time you add all the sites you want to block, the HOSTS file gets so large that basic surfing slows to a crawl as every link is checked against the "list", and it won't help direct IP links.
I have had good results by using a PAC file like is available at:»www.schooner.com/~loverso/no-ads/
Instead of tracking each "doubleclick" server, it will allow you to use wildcards, and even block whole IP ranges. |
|
