IE Issues, articles, and guidance (v0.01)

If you must use IE lock it down as much as possible and stay on top of the configuration!

Try the following to help make things better in the future:

Ask vendors to NOT use IE specific features - support the open standards and become browser independent
If they are using them ask them when they are planning to phase them out
If you are thinking about purchasing it look for something else browser independent
If you must buy it reduce your "offer" to account for extra work. Example:
- System is $300,000 and must use IE, IIS, ActiveX, VBScript, DHTML, JavaScript, Java, etc.
- The added maintenance of supporting these insecure gizmos will cost you $75,000 over the product life
- Offer them $300,000 for a good version, $225,000 as is, or if they fix some of the issues something between $225K and $300Kthat.
- Also offer them part of the $75,000 "extra support cost fee" if they fix things quickly after purchase (like $60,000 if you fix it in a year or $25,000 if you fix the worst parts now)

What does the US Computer Emergency Response Team say?

US CERT:

*Do not follow unsolicited links*

Do not click on unsolicited URLs received in email, instant messages, 
web forums, or internet relay chat (IRC) channels. While this is 
generally good security practice, following this behavior will not 
prevent exploitation of this vulnerability in all cases.

*Use a different web browser*

There are a number of significant vulnerabilities in technologies 
relating to the IE domain/zone security model, the DHTML object model, 
MIME type determination, and ActiveX. It is possible to reduce exposure 
to these vulnerabilities by using a different web browser, especially 
when browsing untrusted sites. Such a decision may, however, reduce the 
functionality of sites that require IE-specific features such as DHTML, 
VBScript, and ActiveX. Note that using a different web browser will not 
remove IE from a Windows system, and other programs may invoke IE, the 
WebBrowser ActiveX control, or the HTML rendering engine (MSHTML)."

Text above is from this CERT advisory

Articles and IE information (historical):

Mozilla Gains on IE - PC World
- This is a funny quote from the article:
  Microsoft shares its users' concerns over security and encourages users to "examine all options," a company spokesman said in an e-mail statement. The company believes that factors such as functionality and manageability, "as well as security backed by the processes and engineering discipline employed by Microsoft," will convince users that IE is the best choice, he said.
  
  If you say it enough people might believe it - processes aned engineering discipline employed by Microsoft - ha!
InfoWorld
EWeek
The Register 7/05/04
SANS Diary 7/02/04
Microsoft releases off-cycle patch
Eweek
Forbes 7/02/04
Washington Post 6/25/04
SANS Diary 6/25/04
SANS Diary 6/24/04

These were pulled from the latest security issues as seen on Security Watch

TropTech.com home page