Stop Using Internet Explorer NOW!

[IE is a Bomb!]

http://blog.washingtonpost.com/securityfix/2006/03/attacks_on_internet_explorer_f_1.html

Of course one of MS's solutions is to download and use its buggy beta
of IE7, that's how much they care about its users!

Use any browser that doesn't use the IE engine at all. I use Firefox,
myself.

Anyone that uses IE is asking for problems, and MS is too slow to get
out a patch to its users. Dump IE! It is the ONLY intelligent
solution!

 

[Imhotep]

I have been saying that for years. The problem is that you have too many MS
zombies (or drones if you prefer) who can not think for themselves...

 

[Gordon]

I have been saying that for years. The problem is that you have too many
MS zombies (or drones if you prefer) who can not think for themselves...

It's not quite as simple as that - you can draw a parallel between the usage
of IE and the usage of Linux. Most users are not given a choice - their
computers only come with IE and they are NOT told that there are other and
better browsers out there, certainly not by Microsoft. Same as most
computer buyers do not get a choice of OS - it's windows or nothing - they
are not told by the retailers that there IS a choice of OS's. (And before
MAC owners get hot under the collar you have to get your MAC from a MAC
shop AFAIK....)

 

[Dave B]

How about that, a beta with bugs, what are they thinking?
Can we file this post under useless, uninformed ramblings?

 

[WTC]

http://blog.washingtonpost.com/securityfix/2006/03/attacks_on_internet_explorer_f_1.html

Of course one of MS's solutions is to download and use its buggy beta
of IE7, that's how much they care about its users!

Use any browser that doesn't use the IE engine at all. I use Firefox,
myself.

Anyone that uses IE is asking for problems, and MS is too slow to get
out a patch to its users. Dump IE! It is the ONLY intelligent
solution!

The "ONLY intelligent solution" is for user a to run as a limited user (not
administrator or power user) and have a properly configured Internet
Explorer. Then exploits and malware/spyware will have a very difficult time
to run or install on the computer. Firefox is not the solution.

 

[Jon]

The "ONLY intelligent solution" is for user a to run as a limited user
(not administrator or power user) and have a properly configured Internet
Explorer. Then exploits and malware/spyware will have a very difficult
time to run or install on the computer. Firefox is not the solution.

What would be handy, following on from that, would be a (one-click) way of
quickly toggle the privilege level of an account between administrator and
'limited' ie without having to plough through the User Accounts menus.

Perhaps someone already knows of a good solution to that.

Jon

 

[Guest]

Why not configure IE and Windows security correctly so that does not happen?

 

[Patti MacLeod]

What would be handy, following on from that, would be a (one-click) way of
quickly toggle the privilege level of an account between administrator and
'limited' ie without having to plough through the User Accounts menus.

Perhaps someone already knows of a good solution to that.

Jon

Creating two accounts, one Admin and one Limited, then utilizing Fast User
Switching, although it takes a few clicks, is a good solution to that.



Regards,

 

[Jon]

The "ONLY intelligent solution" is for user a to run as a limited user

Creating two accounts, one Admin and one Limited, then utilizing Fast User
Switching, although it takes a few clicks, is a good solution to that.



Regards,

Yeah, not bad. I suppose I was thinking of a quick toggle button (perhaps
requiring you to enter a password for security's sake) that you could press
to downgrade your account (eg prior to surfing the net) and upgrade it (eg
prior to installing a new piece of software). Perhaps a good solution would
be to script that "Fast user switching" process, that you mentioned, or
perhaps something via the "net user" command. Something to ponder anyhow.
Thanks.

Jon

 

[WTC]

Yeah, not bad. I suppose I was thinking of a quick toggle button (perhaps
requiring you to enter a password for security's sake) that you could
press to downgrade your account (eg prior to surfing the net) and upgrade
it (eg prior to installing a new piece of software). Perhaps a good
solution would be to script that "Fast user switching" process, that you
mentioned, or perhaps something via the "net user" command. Something to
ponder anyhow. Thanks.

This something I do when I need Admin level privileges when running as a
Limited User is to use the RunAs command. Right-click a program/shortcut and
you should see "Run as..." on the context menu or type "runas /?" in the
command prompt or "runas" in the Help and Support for more information.

 

[Jon]

This something I do when I need Admin level privileges when running as a
Limited User is to use the RunAs command. Right-click a program/shortcut
and you should see "Run as..." on the context menu or type "runas /?" in
the command prompt or "runas" in the Help and Support for more
information.

Yes, thanks for that. Good suggestion.

Just tried creating a shortcut to "User Accounts"
C:\WINDOWS\system32\nusrmgr.cpl

on the desktop, which also allows that "Run as" option you mentioned.

Using that you can toggle the account between a limited and Admininstrator
account, without leaving the account (as I've done previously to change the
account status back to Administrator from limited).

Thanks again.

Jon

 

[Stephen Howe]

Anyone that uses IE is asking for problems, and MS is too slow to get

out a patch to its users.

It is not that they too slow, it is Microsoft's stupid policy again.
Did they not learn anything out of the WMF flaw bug?

See here
http://news.bbc.co.uk/1/hi/technology/4849904.stm
where it makes it clear that MS is waiting 11 days before these bugs are
fixed.

But whenever an exploit is 0-day (as this is), Microsoft don't have any
time.
I predict that over the next 11 days this problem will get significantly
worse and MS will get criticised (rightly so) for failing to release a bug
fix.

Whenever it is "0-day" exploit and it is serious, MS have to get active and
release out-of-cycle.

Stephen Howe

 

[q_q_anonymous]

This something I do when I need Admin level privileges when running as a
Limited User is to use the RunAs command. Right-click a program/shortcut and
you should see "Run as..." on the context menu or type "runas /?" in the
command prompt or "runas" in the Help and Support for more information.

what technically are the restrictions on limited users?
"sometimes they can't install programs"?
so, the can run an EXE, but not if the EXE puts files on the drive?
not if the EXE creates a directory?

 

[WTC]

what technically are the restrictions on limited users?
"sometimes they can't install programs"?
so, the can run an EXE, but not if the EXE puts files on the drive?
not if the EXE creates a directory?

Start reading these articles

Applying the Principle of Least Privilege to User Accounts on Windows XP
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/luawinxp.mspx

Using a Least-Privileged User Account
http://www.microsoft.com/technet/security/secnews/articles/lpuseacc.mspx

 

[Gordon]

WTC wrote:

The "ONLY intelligent solution" is for user a to run as a limited user

But as most pre-installed instances of XP come with NO admin password, it
doesn't MATTER whether the user runs as limited or not - with NO admin
password a script can run as admin without the user's knowledge.......

 

[Enkidu]

The "ONLY intelligent solution" is for user a to run as a limited
user (not administrator or power user) and have a properly configured
Internet Explorer. Then exploits and malware/spyware will have a very
difficult time to run or install on the computer. Firefox is not the
solution.

While I agree that this is a solution, I can't see that this helps the
kind of user who refers to the computer case and its contents as "the
hard drive", and thinks that the browser is Windows and Outlook Express
is 'the email'.

Cheers,

Cliff

 

[WTC]

WTC wrote:



But as most pre-installed instances of XP come with NO admin password, it
doesn't MATTER whether the user runs as limited or not - with NO admin
password a script can run as admin without the user's knowledge.......

Have you tried this before? The RunAs command or a script will NOT let you
run an account with a Blank (No) password. So your statement is false and
inaccurate.

<error>
RUNAS ERROR: Unable to run - C:\Program Files\Internet Explorer\iexplore.exe
327: Logon failure: user account restriction. Possible reasons are blank
passwords not allowed, logon hour restrictions, or a policy restriction has
been enforced.
</error>

Here is a script to try if you like,

----<Begin Script>-----
set WshShell = CreateObject("WScript.Shell")
WshShell.Run "runas /user:Serdar ""C:\Program Files\Internet
Explorer\IEXPLORE.EXE"""
WScript.Sleep 100
WshShell.Sendkeys "~"

----<End Script>-----

 

[Gordon]

Have you tried this before? The RunAs command or a script will NOT let you
run an account with a Blank (No) password. So your statement is false and
inaccurate.

I'm not talking about using the "runas" command. A malicious script can run
as Admin (ie can actually use administrator privileges) in pre-installed
versions of XP because there is no password protection.

 

[Leythos]

The "ONLY intelligent solution" is for user a to run as a limited user (not
administrator or power user) and have a properly configured Internet
Explorer. Then exploits and malware/spyware will have a very difficult time
to run or install on the computer. Firefox is not the solution.

Look at this from the perspective of a typical user:

1) They have no clue that there is another exploit
2) They don't know how to configure for High-Security
3) They don't understand trusted zone settings or how to add non-HTTPS
sites to it
4) They don't know which sites are good and which are not
5) In high-security mode, many websites are broken and don't display
properly.

FireFox, while not a perfect browser, does keep them from having to
constantly worry about the existing and new holes in the browser, the
default install will also prompt the user when updates come out (as does
Windows in most cases), and the user doesn't have to deal with many
sites not rendering properly.

We reduced service calls by 30% by switching users from IE to FireFox.

 

[WTC]

I'm not talking about using the "runas" command. A malicious script can
run
as Admin (ie can actually use administrator privileges) in pre-installed
versions of XP because there is no password protection.

Show me an example of a script you are talking about, please provide proof.
You have snipped the script that I provided and will NOT run with an Account
that has no password..