News and views from a software developer's perspective
Monday, April 01, 2002There's something troubling about this security bulletin. Here are a few examples of what I am talking about:
Specifically, it [Internet Explorer] incorrectly treats scripts embedded in cookies as if they should be run in the Local Computer zone, rather than the same zone as the web site with which the cookie is associated.
No, no, no! Scripts in cookies should not be run at all. Not under any zone! A cookie should be passed back to the web server. That's all!
And the second vulnerability:
The vulnerability results from a flaw in how IE applies security zones to objects invoked on an HTML page with the codebase property. In certain instances, IE incorrectly reckons these objects as being part of the Local Computer zone, even though the page itself is in a different zone, such as the Internet zone.
So, Internet Explorer has a broad category called Local Computer Zone, that gives broad privileges to code embedded in a web page. Seems to me that they should just eliminate this broad category. They should make it very difficult to run code that is embedded in a web page. I mean VERY, VERY difficult. Like, maybe someone should have to sit down at your computer an run an install script locally. As long as they make it easy to put <OBJECT> tags in a web page that can run programs, there will be more vulnerabilities. As long as they have a broad "Local Computer" category with unlimited privileges, there will be more vulnerabilities. This is not rocket science! How about a little common sense?
Here is a test of my first post to the weblog.