I agree the request policy addon for Firefox is killer..., why I use Firefox over IE anymore.
Z Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 -----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Friday, May 27, 2011 3:57 PM To: NT System Admin Issues Subject: Re: IE 0 Day, Heads up, Cookiejackin On Fri, May 27, 2011 at 09:33, Ziots, Edward <[email protected]> wrote: > > > http://www.networkworld.com/community/blog/ie-flaw-could-allow-hackers-a > ccess-your-faceb?source=NWWNLE_nlt_security_2011-05-27 > > Microsoft is not too worried about this zero-day hole in all versions of > IE. Microsoft spokesman Jerry Bryant said, "Given the level of required > user interaction, this issue is not one we consider high risk. In order > to possibly be impacted a user must visit a malicious website, be > convinced to click and drag items around the page and the attacker would > need to target a cookie from the website that the user was already > logged into." > > /My Slant on the situation.. > Honestly, visiting a malicious website is about as easy is getting > re-directed from a supposed known Good site, due any number of web > application vulnerabilities ( XSS, malicious iframes come to mind). And > given if the user is already getting re-directed or hits the bad site, > there is no telling what they might be tricked into doing. > > I do agree there might not be a high likely-hood that the site that the > attack stole the cookie from is the same site that the user is currently > logged into, but if the attacker did steal the cookie ( abeit > credentials and otherwise) and replayed them to the sites they belong, > it possibly could allow that attack to impersonate the legitimate user > and do any number of things. > > Heads up gang, might be seeing a security advisory on this soon enough, Few standard users understand how complex web pages are anymore. I thought I had a good grasp on this, because of the NoScript addon in Firefox, until I added the Request Policy addon as well. It's amazing. While this isn't a critical security hole, it's going to be an important one, I think. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
