-
May 6th, 2008, 10:29 PM
#11
Originally Posted by JPnyc
Something I don't understand there. They're instantiating an ActiveX object . Wouldn't that be blocked by most people's security settings these days? I know it would be by mine.
Yea, but its like the rest of the security warnings in Vista; I think that most people would just click to allow without thinking twice.
-
May 7th, 2008, 01:49 AM
#12
But even with IE6 in XP, assuming both are patched, you wouldn't be able to create an activeX object and access the files on drive with JS, except for cookies of course.
-
May 7th, 2008, 12:02 PM
#13
Originally Posted by phernandez
In XP I can edit it as I please, haven't tried Vista though...
Well you must be admin of the machine then
I am sitting here on an XP Pro Laptop ...limited account...and I cant edit the host file. I can save it in my documents but not in the driver>etc directory as I "do not have the permissions to save in this directory".
Havent tried on 2000 yet...but I am pretty sure I will recieve the same results.
Maybe you guyz arent patched
MLF
Last edited by morganlefay; May 7th, 2008 at 12:10 PM.
How people treat you is their karma- how you react is yours-Wayne Dyer
-
May 7th, 2008, 01:50 PM
#14
That's interesting MLF.
I have just checked XP Pro SP3 and 2000 SP4 and you need to be Admin or System. Now I am not sure what the default authorities are, so I might have downgraded the limited account or it could be something I ran, like the MS Baseline Security Analyser that prompted me to do it.
On the other hand, perhaps phernandez's account has some inherited elevated privileges from when it was set up............ kind of "Superuser"?
Strange thing is I cannot find anything on Google about it, although Vista is mentioned. Also, the three tools I mentioned earlier all have a facility to lock the hosts file?
I will dig out an old Win2000 box and see if that is the same.
-
May 7th, 2008, 02:12 PM
#15
On 2000 WS, member of a 2003 Server AD\domain , limited local user..cannot edit host file and save in the etc dirctory "access denied"
Also cannot created a folder or file in this directory.
My conclusion is unless the path of the host file is changed a limited user account would mitigate the said vulnerability.
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
May 7th, 2008, 02:55 PM
#16
This script would run in IE only anyway. Firefox doesn't know what an ActiveX object is. You can run this locally if you alter the security permissions in IE (allow active content to run in files on my computer) , but you'll still get a warning. I just tested it.
-
May 7th, 2008, 11:11 PM
#17
This is true JP but imagine what could happen to a lot of people if say msnbc.com got hacked or some huge site. People would accept because they "know the site" and A LOT of people could get hijacked real quick.
-
May 8th, 2008, 03:16 AM
#18
Many people could, yes. Can't believe after all this time that the word isn't out, I mean widespread, of the advantages of surfing with a minimal permissions account. I mean you can render SO many windows holes inert just by doing that one thing. So you have to log on/off to install something, so? How often does one install new software? 10 times a yr?
Similar Threads
-
By Raion in forum Hardware
Replies: 23
Last Post: March 19th, 2006, 04:35 AM
-
Replies: 2
Last Post: October 8th, 2005, 05:54 PM
-
By Black Cluster in forum Miscellaneous Security Discussions
Replies: 0
Last Post: June 9th, 2005, 09:25 PM
-
By inf0streaker in forum AntiOnline's General Chit Chat
Replies: 4
Last Post: January 19th, 2004, 03:32 AM
-
Replies: 10
Last Post: January 21st, 2003, 02:11 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|