Is this a real Security risk?

Guest · Dec 19, 2005

My boss sent me an email containing this context and he got all freaked out.
I don't think it is that much of a problem because we have all of the
Microsoft updates and third party security software, but I just wanted to
check and see if this is cricitcally necessary.

To All Internet Explorer Users:

You need to be made aware of a potential security risk when using IE. The
risk comes with a particular configuration setting for scripting. If
enabled, anything you have stored in your copy/paste buffer can be sent to a
linked Web site with no knowledge of the user. This is especially risky if
you have copied something confidential (social security #, credit card #,
etc.) to the buffer for use to paste in another application. If you were to
go to a compromising Web site afterwards, that site would get the buffer
information without your knowledge.

Try this for size: Use any app (Word, Notepad, etc.), highlight some text,
right-click and Copy. Go to
http://www.friendlycanadian.com/applications/clipboard.htm. Surprise,
surpriseâ€¦ see what appears.

To get around this potential problem, go to Tools -> Internet Options... ->
Security -> Internet -> Custom Level... -> Scripting -> Allow paste
operations via script: set to â€œPromptâ€ or to â€œDisableâ€.

Leythos · Dec 19, 2005

My boss sent me an email containing this context and he got all freaked out.
I don't think it is that much of a problem because we have all of the
Microsoft updates and third party security software, but I just wanted to
check and see if this is cricitcally necessary.

To All Internet Explorer Users:

You need to be made aware of a potential security risk when using IE. The
risk comes with a particular configuration setting for scripting. If
enabled, anything you have stored in your copy/paste buffer can be sent to a
linked Web site with no knowledge of the user. This is especially risky if
you have copied something confidential (social security #, credit card #,
etc.) to the buffer for use to paste in another application. If you wereto
go to a compromising Web site afterwards, that site would get the buffer
information without your knowledge.

Try this for size: Use any app (Word, Notepad, etc.), highlight some text,
right-click and Copy. Go to
http://www.friendlycanadian.com/applications/clipboard.htm. Surprise,
surprise? see what appears.

To get around this potential problem, go to Tools -> Internet Options... ->
Security -> Internet -> Custom Level... -> Scripting -> Allow paste
operations via script: set to ?Prompt? or to ?Disable?.

If you set your IE security setting as per Microsoft suggested HIGH-
SECURITY mode, you would not have to worry, but then most websites will
not work properly either.

Look up "Internet Explorer High Security Settings" in google.com and
read a few articles on it.

Will Denny · Dec 19, 2005

Hi

If it was a Security Bulletin from MS, it would have started something like
this:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Otherwise disregard it.

--

Will Denny
MS MVP Windows Shell/User
Please reply to the News Groups

Guest · Dec 19, 2005

Thank you for your responses. They were very helpful

Vanguard · Dec 19, 2005

Will Denny said:
Hi

If it was a Security Bulletin from MS, it would have started something
like this:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Microsoft uses PGP for digital signatures rather than their own x.509
security certificate(s)? Why would Microsoft go to a 3rd party for digital
signing when they already have their own mechanism?

Guest · Dec 20, 2005

Vanguard said:
Microsoft uses PGP for digital signatures rather than their own x.509
security certificate(s)? Why would Microsoft go to a 3rd party for digital
signing when they already have their own mechanism?

Theyre just mad

Guest · Dec 20, 2005

The email that your boss got would definetly be spam because it is not from
microsoft because they digitally sign all there messages and they didnt send
me one.

Vanguard · Dec 21, 2005

I have never received unsolicited e-mails from Microsoft so I cannot attest
that Microsoft (for legit e-mails from them rather than phish or spam mails)
ever used PGP for digital signing. I did subscribe at one time to some of
their newsletters but don't remember them ever being digital signed by ANY
method.

Richard Urban · Dec 21, 2005

Every security bulletin I have received from Microsoft for the past 1 1/2
years, or so, have begun with:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I also subscribe to their service.

--

Regards,

Richard Urban
Microsoft MVP Windows Shell/User

Quote from George Ankner:
If you knew as much as you think you know,
You would realize that you don't know what you thought you knew!

Vanguard · Dec 21, 2005

Richard Urban said:
Every security bulletin I have received from Microsoft for the past 1 1/2
years, or so, have begun with:

Is that one of their standard newsletters to which I could subscribe? If
so, I'd like to subscribe to see them using PGP.

Richard Urban · Dec 21, 2005

Go here to start: http://www.microsoft.com/security/bulletins/alerts.mspx

--

Regards,

Richard Urban
Microsoft MVP Windows Shell/User

Quote from George Ankner:
If you knew as much as you think you know,
You would realize that you don't know what you thought you knew!

This page has an unspecified potential security risk	6	Oct 26, 2006
administrator account security risk	11	Jan 14, 2006
"Rption" Is this a security risk?	1	Jan 9, 2006
Using a Win XP SP3 pc after April's security update termination	6	Dec 6, 2013
"This page has an unspecified potential security risk"	2	Nov 2, 2005
Security Block	2	Jun 13, 2009
Your current security settings put your computer at risk.	1	Jun 20, 2006
TROJ_Generic.Adv Help!!	2	Apr 15, 2008

Is this a real Security risk?

Guest

Leythos

Will Denny

Guest

Vanguard

Guest

Guest

Vanguard

Richard Urban

Vanguard

Richard Urban

Ask a Question

Similar Threads