There's no doubt that there has been a change in the approach of some
people who report vulnerabilities in IE. I don't speak specifically of
GreyMagic Software, but they can be cited for the same problem I would
say Georgi Guninski currently suffers from.

Its good to point out suggested workarounds. They are needed, and
important, if you are to take any action based on information provided
for which there is no specific fix. GreyMagic's 4 vulnerabilities
pointed out today all have the same workaround, namely, disable the
scripting of ActiveX objects (in addition to disabling Active
Scripting).

There's no doubt this works, and clearly it's a simple remedy. Guninski
recently stopped recommending this and started recommending switching to
another browser (which as most of us know, isn't a realistic
workaround).

GreyMagic's vulnerabilities are all covered under a new feature of IE
6.0, namely, the ability to create lists of Administrator approved
ActiveX controls. While this has no real value for the average person,
Administrators can take advantage of this setting to restrict which
controls can be scripted. If this setting is applied in all zones, it
actually can control many of the recent vulnerabilities announced.

With Firewalls and Routers we know that default deny rule is the only
way to go, explicitly allow those thing you must. IE 6.0 offers
Administrators that opportunity.

I'm not saying it's the answer to everyone's questions, or the solution
to all of IE's woes, but if more Administrators would use it they'd have
far fewer surprises coming their way from GreyMagic...;-]

Cheers,
Russ - NTBugtraq Editor

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]