Scriptless IE Not Worth It

By Larry Seltzer  |  Posted 2004-07-05 Print this article Print

Opinion: Whenever there's another security hole in Internet Explorer, they tell you to disable Active Scripting and ActiveX as an interim measure. I gave it a try.

The U.S. Computer Emergency Readiness Team gained a lot of attention with its advisory on the most recent Internet Explorer attack. In the "solutions" section, it suggested—as the last of six things you might do—that you could use a different browser. Absolutely, and I wonder why the team doesnt make the same recommendation for numerous other products for which it lists vulnerabilities. But I was more interested in the first listing in the solutions section: Disable Active scripting and ActiveX.
Disabling Active scripting and ActiveX controls in the Internet Zone—or any zone used by an attacker—appears to prevent exploitation of this vulnerability. Disabling Active scripting and ActiveX controls in the Local Machine Zone will prevent widely used payload delivery techniques from functioning.
Instructions for disabling Active scripting in the Internet Zone can be found in the CERT/CC Malicious Web Scripts FAQ. See this Microsoft Knowledge Base article for information on securing the Local Machine Zone. Also, Service Pack 2 for Windows XP, currently in beta release, includes these and other security enhancements for IE. Ive seen this sort of recommendation very often in past security advisories, principally in those from Microsoft. Ive always thought of it as pro-forma stuff, kind of like the potential side effects listed on a medicine package, which is basically a list of anything thats ever been observed. They have to list it, but they dont really believe in it.

Nobody would ever actually disable ActiveX controls and Active scripting, would they? I figured now was the time to try and see just how bad things were. I left related settings aside and did this only in the Internet zone.

My Internet Explorer was a lot more functional than I expected in this condition, but I still had enough problems that if I felt this was the only way to run IE, I would switch browsers myself, probably to Firefox. I dont think this is the only way to run IE, though, especially when Windows XP SP2 comes out.

For insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog. A lot of Web sites just end up looking funny, with the fonts all wrong. ESPN is one of these. I assume they are using scripting to modify the DOM. Other parts of ESPN are dysfunctional to the point of there being many empty content boxes around the screen.

Fleet Homelink, my banks site, is completely busted. I looked at the page source, and the home page has a script-based browser type and version check, so this ones a definite no-go. In cases like this, I either used a different computer (I have a lot of them), or I used Firefox.

Next Page: Seeing how other sites handle the switch.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel