News - Microsoft patches critical Internet Explorer hole

[TheAnimus]

Eh? FF doesn't need security policies, because it's plain contained to a users profile, it has no low-level CraptiveX system access at all. And a sane package manager can push out security addons and updates to FF over the network.

For a start off ActiveX is bloody useful. The amount of systems that have been quickly nocked together that use it are not going anywhere soon. This is *slightly* off topic however as.

FF has lower level access than IE, because IE will by default run in protected mode. FF does not.

Now I'm not for a second saying that protected mode is a panacea, in fact I would say I dislike it in the way I dislike firewalls been used as a solution for chronically bad design (I always say write your nTier stuff as if it was all PUBLIC, then with the firewall as an added bonus! its not as if its remotely hard to do your remoting very securely now adays!)........

And on to the actual crux of the matter, most cooperate network guys are completely incompetent lazy good for nothing bums. Except the ones here of course Any chance of that viso license that was requested and authorized over a month ago been installed any time soon?

The thing is FF doesn't have anything as simple as the policy manager IE has inside a windows AD. And a shocker is most companies run that, and want something which slides in nicely.

[Moby-Dick]

Do they run on later versions of IE than 6?
That's one thing I hate about corporate desktops. Most still use IE6. We currently use IE7 as we haven't had enough time to test IE8 and by the time we have, we will be planning a Windows 7 rollout so it's a bit moot.

Most of them are tested on IE7 as a minimum thankfully.

[dangel]

My wife's work insists on IE6 - and so when she want's to work from home she has to use an XP VM with IE6 in it (no way am i letting it out of the 'box!). Worse they insists on a really old java runtime too so all the more reason to keep it 'confined'.

[badass]

Eh? FF doesn't need security policies, because it's plain contained to a users profile, it has no low-level CraptiveX system access at all. And a sane package manager can push out security addons and updates to FF over the network.

Ignoring the policy based controls of internet exploder (sic) for now, how about single sign on?
My users access several web based applications. They never have to type their username and password apart from at logon to their PC and to unlock. Firefox can't do that.
Don't even suggest that it's OK for the users to have to retype their usernames and passwords every time they use a web page.

[badass]

Most of them are tested on IE7 as a minimum thankfully.

Better than most large enterprises then. You must have control of your devs
Most places don't realise how much their devs have ****ed everything they make up until it breaks.

[Moby-Dick]

no we have a hardcore security office

[aidanjt]

For a start off ActiveX is bloody useful.

All security nightmares were considered 'useful' by someone.

FF has lower level access than IE, because IE will by default run in protected mode. FF does not.

Every application runs in protected mode. IE bypasses OS barriers with ActiveX's sink through the users contained privileges. The 'proteted mode' you're thinking of is IE's white/blacklist for granting/denying sites access to certain insecure IE features. FF does not do that because it doesn't need to do that.

And on to the actual crux of the matter, most cooperate network guys are completely incompetent lazy good for nothing bums. Except the ones here of course Any chance of that viso license that was requested and authorized over a month ago been installed any time soon?

The thing is FF doesn't have anything as simple as the policy manager IE has inside a windows AD. And a shocker is most companies run that, and want something which slides in nicely.

True, but perhaps if they actually hired competent admins they wouldn't continuously have to explain why they're 'attacking' other organisations, companies, and government. Personally I think they should be fined every time their network is used as part of an attack, at least that would provide them the fiscal incentive to hire people who know what they're doing.

[aidanjt]

Ignoring the policy based controls of internet exploder (sic) for now, how about single sign on?
My users access several web based applications. They never have to type their username and password apart from at logon to their PC and to unlock. Firefox can't do that.
Don't even suggest that it's OK for the users to have to retype their usernames and passwords every time they use a web page.

That's perfectly doable without ActiveX or IE. Do you think I'd bother with this forum every time I loaded forums.hexus.net I had to type in my username/password?

[Funkstar]

That's perfectly doable without ActiveX or IE. Do you think I'd bother with this forum every time I loaded forums.hexus.net I had to type in my username/password?

saving a cookie is not the same as using the windows login credentials.

[aidanjt]

saving a cookie is not the same as using the windows login credentials.

Yes it is, it's exactly the same, when you log into an AD domain Windows gives you a personal cookie. That's how ActiveX apps know if you're logged on and who you're logged on as. It's not voodoo magic. And aside from that, there's a number of methods you can use to make FF utilise your kerberos ticket for complete AD integration.

[TheAnimus]

Yes it is, it's exactly the same, when you log into an AD domain Windows gives you a personal cookie. That's how ActiveX apps know if you're logged on and who you're logged on as. It's not voodoo magic. And aside from that, there's a number of methods you can use to make FF utilise your kerberos ticket for complete AD integration.

No, its no where near the same, security tokens are a lot more complex.

The only one i've ever implemented by hand was: http://en.wikipedia.org/wiki/Kerberos_(protocol)

Now that is in a different league to a cookie with a 1to1 mapping.

All security nightmares were considered 'useful' by someone.

Quite. The problem is the risk vrs reward. All software features can be seen as a cost benefit analysis, in the case of ActiveX, I stand by my previous statement, that as a consultant I've seen many cases of it that make me cringe, think wow thats clever, and how the ***k are we going to migrate away from that!?!

The fact so many people used is shows its usefulness, yes many where blind to the security model risk, but it was used.

All security nightmares were considered 'useful' by someone.

Every application runs in protected mode. IE bypasses OS barriers with ActiveX's sink through the users contained privileges. The 'proteted mode' you're thinking of is IE's white/blacklist for granting/denying sites access to certain insecure IE features. FF does not do that because it doesn't need to do that.[/quote]I'm not in the scene much any more, but last time I was looking at privilege escalation it was always by messaging other process, never via this. If you have any more info on this, I'd love to read about it, because I've got some old legacy stuff at an old client that if I was able to say "hey no probs you can run protected mode with this in it" on the intranet, they would be very grateful, as at the moment its a gaping hole. So please the info would be apprechiated, because what your saying vrs the documentation and my observations, well they are not exactly remotely aligned, more othoganal....

All security nightmares were considered 'useful' by someone.

True, but perhaps if they actually hired competent admins they wouldn't continuously have to explain why they're 'attacking' other organisations, companies, and government. Personally I think they should be fined every time their network is used as part of an attack, at least that would provide them the fiscal incentive to hire people who know what they're doing.[/QUOTE]Any where do you find these people?

People are really hard to hire, they are damned annoying they get sick, they leave you, they want more money....

The other thing is its very hard for a large firm to do anything, by the time you've got sites that follow the sun, and created a homogeneous environment across the lot (often down to standardising that EVERYONE uses English!) these things become very large red tape affairs.

It really isn't as saying "experienced unix admin wanted!".

That said I fully support the idea of fining people for some form of network negligence, but it should also apply to ISPs for spam bot nets too.