Opinion: Whenever there's another security hole in Internet Explorer, they tell you to disable Active Scripting and ActiveX as an interim measure. I gave it a try.
The U.S. Computer Emergency Readiness Team gained a lot of attention with its advisory
on the most recent Internet Explorer attack.
In the "solutions" section, it suggestedas the last of six things you might dothat you could use a different browser. Absolutely, and I wonder why the team doesnt make the same recommendation for numerous other products for which it lists vulnerabilities.
But I was more interested in the first listing in the solutions section: Disable Active scripting and ActiveX.
Disabling Active scripting and ActiveX controls in the Internet Zoneor any zone used by an attackerappears to prevent exploitation of this vulnerability. Disabling Active scripting and ActiveX controls in the Local Machine Zone will prevent widely used payload delivery techniques from functioning.
Instructions for disabling Active scripting in the Internet Zone can be found in the CERT/CC Malicious Web Scripts FAQ.
See this Microsoft Knowledge Base article
for information on securing the Local Machine Zone.
Also, Service Pack 2
for Windows XP, currently in beta release, includes these and other security enhancements for IE.
Ive seen this sort of recommendation very often in past security advisories, principally in those from Microsoft. Ive always thought of it as pro-forma stuff, kind of like the potential side effects listed on a medicine package, which is basically a list of anything thats ever been observed. They have to list it, but they dont really believe in it.
Nobody would ever actually disable ActiveX controls and Active scripting, would they? I figured now was the time to try and see just how bad things were. I left related settings aside and did this only in the Internet zone.
My Internet Explorer was a lot more functional than I expected in this condition, but I still had enough problems that if I felt this was the only way to run IE, I would switch browsers myself, probably to Firefox.
I dont think this is the only way to run IE, though, especially when Windows XP SP2 comes out.
For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.
A lot of Web sites just end up looking funny, with the fonts all wrong. ESPN
is one of these. I assume they are using scripting to modify the DOM. Other parts of ESPN are dysfunctional to the point of there being many empty content boxes around the screen.
my banks site, is completely busted. I looked at the page source, and the home page has a script-based browser type and version check, so this ones a definite no-go. In cases like this, I either used a different computer (I have a lot of them), or I used Firefox.
Seeing how other sites handle the switch.