Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
RE: [Full-Disclosure] IE is just as safe as FireFox
From: joe (mvpjoeware.net)
Date: Fri Nov 19 2004 - 09:51:43 CST
> Autoconfig script may enumerate hosts which don't require a proxy.
> Usually there are a very few intranet servers in corporate network.
You should have prefixed "there are very few... " with one of two things
1. Relative to the internet...
2. In my experience...
I have been on several large corporate networks where there are hundreds or
thousands of intranet web servers hosting tens of thousands of sites. Many
large enterprise class companies are moving whole hog to web based apps
internally (even email) and all available content is on the internal web.
This is actually the area where IE is so strongly embedded due to its
application interfaces and what MS has been building towards for so long
with it. If you look at this space and compare how firefox renders/operates
next to IE you will see why many companies chose IE as their official
browser even in the face of having more exposure due to security. A lot of
that depends on how the web site is designed/built but there is a lot of
functionality there that can only be reached (and thereby exploited) on IE.
There are companies whose primary LOB applications internally are on IIS
servers and can only be accessed with IE. In those cases it isn't a simple
pick up and replace the browser scenario.
> More, I consider IE feature to ignore proxy for LAN hosts may be
> dangerous. Imagine a worm which spreads by this algorithm: it
> launches HTTP service on victim host, lures user at another PC to
> open URL pointing to victim, then launches on target PC. The fact
> as previosly affected host is situated in Local intranet zone,
> significantly facilitates worm spreading.
I wouldn't really call that a worm. Worms work without interaction. They are
self-propagating/replicating. Malware that spreads that requires user
interaction would generally just be called a virus.
Overall trying to push intranet users accessing intranet content through a
proxy to sanitize web pages would be unsatisfactory because it couldn't
fully be enforced since the content is available right there on the
intranet. Someone could do some form of offline gather or use many different
tools to get the data so forcing firefox or IE to go to a specific proxy
does nothing for you. You would have to put the intranet servers behind some
sort of firewall that you would have to access them though. Plus you
obviously have to scale the proxy to a completely different level if
processing all intranet requests as well as internet requests.
Let me choose if I even want a browser loaded thanks!
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Raoul
Sent: Friday, November 19, 2004 5:01 AM
To: Esmond; full-disclosurelists.netsys.com
Subject: Re: [Full-Disclosure] IE is just as safe as FireFox
Full-Disclosure - We believe in it.