Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Scriptless IE Not Worth It



 By: Larry Seltzer
2004-07-05
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. Scriptless IE Not Worth It
  2. ' Handling the Switch '

Rate This Article:
Poor Best
Scriptless IE Not Worth It
( Page 1 of 2 )

Opinion: Whenever there's another security hole in Internet Explorer, they tell you to disable Active Scripting and ActiveX as an interim measure. I gave it a try.The U.S. Computer Emergency Readiness Team gained a lot of attention with its advisory on the most recent Internet Explorer attack.

In the "solutions" section, it suggested—as the last of six things you might do—that you could use a different browser. Absolutely, and I wonder why the team doesnt make the same recommendation for numerous other products for which it lists vulnerabilities.

But I was more interested in the first listing in the solutions section: Disable Active scripting and ActiveX.

Disabling Active scripting and ActiveX controls in the Internet Zone—or any zone used by an attacker—appears to prevent exploitation of this vulnerability. Disabling Active scripting and ActiveX controls in the Local Machine Zone will prevent widely used payload delivery techniques from functioning.

Instructions for disabling Active scripting in the Internet Zone can be found in the CERT/CC Malicious Web Scripts FAQ. See this Microsoft Knowledge Base article for information on securing the Local Machine Zone.

Also, Service Pack 2 for Windows XP, currently in beta release, includes these and other security enhancements for IE.

Ive seen this sort of recommendation very often in past security advisories, principally in those from Microsoft. Ive always thought of it as pro-forma stuff, kind of like the potential side effects listed on a medicine package, which is basically a list of anything thats ever been observed. They have to list it, but they dont really believe in it.

Nobody would ever actually disable ActiveX controls and Active scripting, would they? I figured now was the time to try and see just how bad things were. I left related settings aside and did this only in the Internet zone.

Resource Library:

My Internet Explorer was a lot more functional than I expected in this condition, but I still had enough problems that if I felt this was the only way to run IE, I would switch browsers myself, probably to Firefox. I dont think this is the only way to run IE, though, especially when Windows XP SP2 comes out.

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

A lot of Web sites just end up looking funny, with the fonts all wrong. ESPN is one of these. I assume they are using scripting to modify the DOM. Other parts of ESPN are dysfunctional to the point of there being many empty content boxes around the screen.

Fleet Homelink, my banks site, is completely busted. I looked at the page source, and the home page has a script-based browser type and version check, so this ones a definite no-go. In cases like this, I either used a different computer (I have a lot of them), or I used Firefox.

Next Page: Seeing how other sites handle the switch.





  Reader Comments: Scriptless IE Not Worth It
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Larry Seltzer
 


x}r㶲s\@♵M푦dKkmyYqfT(S$CReoВ/gA4ЍFh@λ$9acr3ݩc}:I]"I~x(3`R˩8AZNɑ!,Շ)~-slrCjwGl$J~x'A :#:UGPL95Μ k9ԗoˏne0-ZAQ6)֐N0o-Z P8 {(Z= ?+B4e$|ߢcoAT<ش' RTRX^P~FD;ǎb| yf ;U;ar7@SUؓ[vB䅠1FE8 u#J3v'u٪b'ӤbfHx#@б\./RF͌iAwtԭ=SźcG 5G(&$g=~0[ QM%$7 .lq`=2}h .*!}= :Ї7cϙy֛I]Ԓ],r"U)wC'>dС!ZdQ-}9e feo6 usҾVUBXW{Q.gچs[=7q*sЙZvϔi޽h^HQPw7@ږVa(WnG.:[ggAa'H|$Fj;}& D%\.I&0hNlx^X}t\卒^wny%ܲ_/hvd0-bv=ӧ0F_8rn򓹥uk]]^-k]['>ߙecfy 3?b Jg3B~5_:OOfKN:W>nu83tfAZ|[kUV1?x?-|kh2`=t8Lwj/ ?5;ǽ/-2 姣1I|]8fI~=흟Czn&j ݒEB_;X]K$jȱn>@|Ӡd0r* ߱n^S;G7ۯ脺f-Mn #dLi.gm-w za4Z@Lt&h)5?&1gMab&DJH7єye TI%嗋m|*(If([΀/3 BDԑ?CC0&pJn.b?_5 .awWʲ9QY +K\MޢG\zc'FUIn?ƇLqX18,]evb`\on:j~l:R7"TTU𷰊 h2e8l ԰2nБ>gA05tSOC|>9m'!|БdmxZ.S3Ї4!D& Ѐ?`;Nh>[W )@}9\Pl~>0-0!%ޥ6N\IQ M2(%E29 EEKy3@ $hՏ`źmIޑvZ*&RP*m=!ԑt挝Z*ݗh3aGe-n^ $ d6g2+IMipj1!UG,D`v9J,L.[ O6jԍebQ9Դr>Ҥ75C0sҺ<L X HS%\Ew,t 3AP9w1!v<:-%st0f"̴b֜i=MO9XScX`D Lz?qm/n$)LaV|\vLg˺VkͲT]۽/ 7RiO]օVPK= M2L% A-ʘŗZZG"JMP>V "Cɣ($me6L?InQy{gO>7l`( jrAj#SV-iV^Ϛa+ L 4 `*`b\0 N`Ncy9|NY{zl.n: 18yy4%2N?APt @IU5}끆 _ǂK e*8t5u{qq;[ZvOZŽtѐzgWs4&UE8` ;DzۃӜh2F ÑiHuߴIFʫ%e&-KrI)jLycl ԑq,Yri L*gXsM>QȺ='a(Juѧȹi 3 M~NV hPQ1 "I9Ou/F#~̧^ۨalE+ 5o` 12l3u&/zr|pE% yL*'i~Ò?DFCizi}~هF9#,!%HHo?ZDjPVVR尨V*߬ L3)' Sf|Ǿ3y翼;q_a4j eO)Z`3\xK}`x䓋2,*`ز|˘/ i¸JIz`LFsZman0L;3N۩O6{1 "8&Ԧg>jאpem&`|ѺIPɑ!Yd:w@ݐ ?z7fy@L Gzx؝LHuҘN7Hi炚X9Ť֊kέt)D ~hׂ35Mak}]\S~֬ݬb^ چHB&:Gd@#`Кv*4'wԪO6 h)XS!RW dĞeeS5Exކ'QyϤp3|9 |l93#ONp酛L+ 30SIl x@̬k}#w56霎0 M`}G ϣ1W5 `,fqN'A:KlC30XfSf~WKU08y{z&w̕ ܶ zORD7PUL xg4sDcC6VNM헅m"z';"#əV ̼~jsaS))rL*H+Utq͡/3Onq, UU;MyRf̚,*Cjm>a,0r]C)&!jخOl$o,y U8e3 -S`e3˕2~^`. JU-~ |{AcEi\ixmb=ǪBTuAR5TbPQKJB'Q!fA#G"ZAY_MkOkhs!p B0_\PF.^2I$̸yF0ŗ%K'G@lX;z6]6%Q;k\!c̚Òf$S, .IG:-ef{F*ݐ7UU :*ijAROpӁ9tGl~" tDwe2qy27(kMn@ &ݙ}adJ@*5]*; 1s0G\0R,WzHp?lZ.+~d9#R@BZNbx<'b{H '? aV*7o~.Rȓ$ |BJ D;}B^\㯌&нݽ]VUv&BQ`о(&[w,/ɪO@T #N;?Jϝ)hlsѓN/xǀsu_v^sq@DyiG߫%~_KKxiW}lz@JV-?\u>]4yCM q޲oSRh3 J@c$bw}ɾ3zZ^6a؆Z'0Z@ID*G^s.7>/ėt;g+~/ZR1^Rz0WN8k8`IN*axո O8>n48Z&IEyDCwȰ Z_ƥsl]qfiZ ^Ok5W'27p- ۵sgEw~uY PH2>(_!aPHR ~tDݽS4 jGYkNEm펇{6-~=`rrPR)&bz&I[և%uyjtJ1SBt 2H P,O&e=lI1 iKBih%bbVHRo{ٸ؜m ybXýMی3LJ$h dgKe 3 KqkP q,+ ` >ϣ+y-EY-Vy;q9z])LU9 yu?_9U+۾Lm3ytaH4S `'# eީӊNf|uѺB ~ݾM5V3!ʳ/q!~<,?4nڈbivEGgi\|靂&G-_ |2$?T-@V޼=4GoQwp]9Qz AC~k~挜71n3z{mvkbOf0CݥovV8}'i?vݷ;޽¾"CWq jk:i)`*9$XhHN d_~EVe.tѕNt;>ri ,Fud3D?yi1}doxzooo=إ%l-39"i NZ;x4oor:߇L?G OFxf79g#9P`G ܍)“g$`GDA5}缩g6A jm3Z0\k9f>V2OBc#ZT^?1;jTŷ̈́3S7pM_j ]%p Mko!1 %CKдg=.00yS/rK[⹋^]lQۍo%n!өi*2o٭[Q+U˻bۛPR%Έ{Ut!*ڭoYAr"j\nRRJ5)7amN֟ %5VMD#-v-;ÓV AOZ^|py:y֟9 (<_"r/FM-_|d݁銿 k(,=HM .eɨwl<!sU٭? `p'K.#y&fܵJ .Ý1Qs nzb\W&r?Y YuY"A3'ȧΝs[&8Ǵ T gi߆.HOb?QU=zgQŤR?Z'IEl3T _p&=+5 YOȧ,IUI?yE"^\Vk{܂*K,)Kq&&c͑/8_VҴl]ZME+ /Wzx4gヽ !/ wqPZpaUhеRbXq}@m{/ ͏ zbcY'P6b{96HI +2B&E$ϑIIdJkTH Lޭm~IU%6y/Cs#7m\yRbL.;6+3;DYz|){>*xCol0EIHJyS)<;H 8԰^挤5n/GB<&'T~i2Z?|k9RVK'Xl^7D5 zFKrzRØB#7JHg029s=!+߯E"#:ghu[!^9K6pEα3a;s蹡fQUdT=95 KCX)'sq{axe=bQ+=wrrCNLX̀i̗tPKW3v'%GN f兩b 8<ٖi* 軄g.aOkB6&^Hӫd2\FZAKVu3/]I3 0X`# {$H  +Ymn}7ss@(5 6smP]*S/!Kcf Vy6 jD꫟o8> ī4=ƃ|YtMc;K $ ITaI\W=t1,W 9&SsnY(t4/50uJr+V`rS*Ri GdU kvI=vg;h2lrCy٫L?7 y\ IoC. C*?8Xe:J=ݔJ[a=xÁxD]anݬa DȄ^aԈFl퇤A~w}w}w}wÊVU_->2{>`tMzZx?XyqXV_?m!o'!!›aYoZX:";@4=_usi1_C8Q`M,FyKÜa7s*bh! '3O6^&G >ذ.$Ku_oo~B]Em og~p8Ǯ^/aM &aWD6?ʷs$;>\F֌.ZSmCgkecoZN@"u"½mo Ґ:ǛJx*,k6ֱr>[ "*i>{}!&X7z!Q=9c_)ko.-}Ű''?^7&:OAXO_/Ym/ 8gV-* v/W,kXd=IyF -r= T?^<9C& $xVᥫ>ݳ^85<##D<1w?xX2/(_Z6`;TPs˅m.MEfAȢi \1U}ub?=G/ttAk-c"]J1x~[M̀+5fL4P;lNz yԥ:BMOETBhrFZ|Zca:Ok6zZC LezZC梇n&l)m'hzBRKovgO%٫54X}u9u: h pKyci2+Gx\G2C`m 4,\ |3\πTnA4`]"eR%|z3|P)ÿCrzvȟ_C)ZTCI{yU1XHಈuζücn?y r Ys0x kHх%(z0Yji+ 1 M?=x/{g?L6 d\z1W-fᮦq#Ϡ6jW2/'h[$տ(NY{{i/1~H+k[&< iҩHۡ蚛[*н,%&hPjߚcu)M +Kly/0̊ےVo4Jۅ]aiJ\#%'099m6=(n2t@$]M^J c#Q^D~x#nOn'*F&#ZIikxg42tixc)<1_+AJLB(fYiv' .GUov/?VH|Uݷd}exx_kJ"ꌯrK:M%6h#:&xM .o ^j$%p>< Pm̼ϴ@GBSxwaGd.$'"ٔkgv*K_!߰,VIm{7R[ Eꊍ\D*>cxUE(zhu뵮a/<>wfMd=)e`#oUM}NG|<8xc g<9asH ](Lng 2-`<280[7кlɧtC!ᘭ#!+A1HST~3?^]t}V 8 h0.gj9T%%P9 dU ?M=/W.nrj5-i`Ik0'ld DpswڗLQZj*!b3wȣ4ϓo }m~HM 0A vqY@y#LD݂zG(nbJ zIhD/xs u|`EP00aLnS0MpWFjt``\ovN*' @=:ςm s!aZ;<QB<䱤Pl <'/= pm?݉9e/( p @Ka1c~PoVR$4 >+>gٕa)豪Օo)ރ ;ee-u =M蕴B^Ȉq[w(_Ч6#&Do`9˳/sE"OGeݹ G5Z¶V-r5uu_;_N˫E/W?1WNna`1Dk 'MMo )nu:E+WMj^+Q_8v<(3ʿB׌+(Z_~NmdwQ[_4[P~sA ?/?mfnfCCL"nQʿ/?gag99?ς=Ϡ9<>yyy(_|P~Q(GF9g^dE\]d_O'Ct@t2%e\BˌW?Wwn=^~_ח_sV99@r 3ڿ\'I72q S*R~/2苬rXB]dCy>++P/Үw2 : ?3/^}NF&q\WKM0TntEg-5nZk ǸJuv ^_BBU$X2M*#(^>&c˼$=)>w槤Ixմ] &JRW[O'ikr(%s<2g!h{U2̱#{"aD4k{HO8ѭ?0=aއ^V_p3nz:t}aOvHqֿl|hlZ+O>j*85ߜ:S?,RK|c ,޻/a4D =C9}54]MWnPď;cebI@*5VZ*;mGx 5ɪ"+Uw9 طV++b`" ^x|Deiګ.91C=b;hǬ[ɖ^c(p E?&G&n5^ʘV,d 'Eu//{_۱ CR1 1@eN*q0*r6`%Q<783o 3=mz6.eа! ؒ9Nحa0 c|򷁞93 O,OSxWV0\9Kh ڧz4}z<80mJ)l1@Щ zu2s=\șP=wGp. ~8sG Z(3>/jphd1ck_$G1x_%05޷J›SAfr{^f$jA+_ac˙Z. c@8>cc6H[8=ۺ9t؆"1wUW-%_~s5 D 9b oc{sIdގ~1'A>ಓH+1QB n`Z(>/t} W"K]v`;Lx ÄqAbgHAأCDO&r/s{PNS)Y`_GFb#+&U7M&d v"ёsslPFs_9aoo!j[MA%c;ql>;Kuo+aG4 (TǨz1>IϐR(K)P vY{N6 )4Mϫ΢P$nR[w%+W*aʹD6vn J]1> V_dvO~-B+O 8>eCgI2T~kJ=*P=fZP v"0%Yz'Io=G}c_VeńK!l|4#ev\|m& ]*$##R.ܐOF{/)0XPy74<p2I0 n9iS[D:9Am'{'CU|ٲs1ebV!qmezӧW-[$@5E`1v4`ehDSL/Tvy*3*>% /1-im΢ƘJ:Ɛ9-)0p,\ftG6C|eKx7gܨN~"+1<&`#O]&\f\j_L.ѮBTvbbqY;g;"w6G}d ȑ(d}j6x9Na^|˼+AѮx'nal`d%K^F:H‡%C>KrX}rcd+{f:ePEXtl+!R+7`/=H^PpSgn)ZF,c ԭ<P0_C^ⅇ\bXeܔ1농QmQ-xa[8~n`PkpxˣŬ"D0Ȯ'Z:tsh;h[3THهl*~&o,{k+НTnxFK-^P?Q> χ"@Ԃ+"e})IDy{SL_?|T+s+ Sqk.ɛOByҹI'ٗRI>Sm}v4<~v趿 a% ѨT\_N{+;g,X5?~|hJҜ%!\5[i B"E{l/>$_zvC_&ȕ/g2F#oUAtMjez'1l5mEg,3lW'JZR۝wߺ"f/On6%c|NVKI+n^~)MS9Q2kFs+q>tgLp -ͱeRZ`l/Zw?r3:'