moved to IE forum, renamed and stuck.

peterska2

"Big B's Response: Run IE as a less privileged user, all bugs fixed without patching. Gee that was tough."

Unless I'm missing something the problem is not with the account...it's the fact that IE, which operates with the OS at the system level, can be used to attain system level privileges or root which you may have heard of.

Unless, I too, am missing something, wouldn't running as a limited user prevent this unauthorized access in the first place?

~Masta

i dont understan

Huh? lol

~Masta

The user is not the problem if the browser is calling functions at the system level. Just because the browser is opened by the user does not mean that all functions run by the browser are also run as that user...they're run on the system level. Say you hit a website and IE is trying to interpret script, the function to process that code is passed in a system level process. If that process executes code which is able to exploit a vulnerability in the OS the result could be system level privileges to execute the code of choice, the box is owned - root has been owned...because the process operates at the system level, which is independent of who is logged in or what rights they have. If they can run IE the problem still exists. Sure you could limit the users to be unable to run IE but that's not a very good solution. The culprit here is the OS itself...not the user. Patch the box!

Agreed. Of course, using an alternative browser couldn't hurt. Although, I will admit, I have read about certain vulnerabilities, where, utilizing IE or not, could still give an attacker root on the machine. However, most would agree that using a less privileged account is going to mitigate many future vulnerabilities.

Yeah really!
People always ask me why I never patch my personal windows systems, well here is a fine example of seven worthless patches that I won't be applying. People it's not that hard to read a book or two.
Why I am not installing any of these.:

• MS03-041:
  A properly configured system according to Microsoft's TFM should only allowed trsuted sites to execute ActiveX. I have included this and have gone above and beyond by configuring internet client software to run as the user CLIENT_NET which is a member of GUESTS. Even trusted code execution will be limited to this user's powers and not be able to make any non-password prompted changes to the user's environment.
• MS03-042: Same as above
• MS03-043: The TFM indicates the Messsenger service should be disabled unless it is remotely filtered (so for LAN use only).
• MS03-044: The TFM suggests the disabling of the HCP protocol and users are to be directed to the local administration for support.
• MS03-045: The utility manager should not be used by normal users and should be disabled, this is covered indirectly in the TFM as well.
• MS03-046: The Exchange TFM discusses the value of filtering SMTP protocol extensions. IAS fills this role very nicely.
• MS03-047: I use exchange server 2000.
• You do the math

I really love how Microsoft lists the proper configuration as a work around as to not make people that failed to apply the proper configuration in the first place feel stupid. And people say they are evil. *wink*wink*

I dont see how this sloves anything as IE is run on the system level regardless of whos using it unstuck