Buying the Pharm

[metguru]

Something I don't understand there. They're instantiating an ActiveX object . Wouldn't that be blocked by most people's security settings these days? I know it would be by mine.

Yea, but its like the rest of the security warnings in Vista; I think that most people would just click to allow without thinking twice.

[JPnyc]

But even with IE6 in XP, assuming both are patched, you wouldn't be able to create an activeX object and access the files on drive with JS, except for cookies of course.

[morganlefay]

In XP I can edit it as I please, haven't tried Vista though...

Well you must be admin of the machine then

I am sitting here on an XP Pro Laptop ...limited account...and I cant edit the host file. I can save it in my documents but not in the driver>etc directory as I "do not have the permissions to save in this directory".

Havent tried on 2000 yet...but I am pretty sure I will recieve the same results.

Maybe you guyz arent patched


MLF

[nihil]

That's interesting MLF.

I have just checked XP Pro SP3 and 2000 SP4 and you need to be Admin or System. Now I am not sure what the default authorities are, so I might have downgraded the limited account or it could be something I ran, like the MS Baseline Security Analyser that prompted me to do it.

On the other hand, perhaps phernandez's account has some inherited elevated privileges from when it was set up............ kind of "Superuser"?

Strange thing is I cannot find anything on Google about it, although Vista is mentioned. Also, the three tools I mentioned earlier all have a facility to lock the hosts file?

I will dig out an old Win2000 box and see if that is the same.

[morganlefay]

On 2000 WS, member of a 2003 Server AD\domain , limited local user..cannot edit host file and save in the etc dirctory "access denied"

Also cannot created a folder or file in this directory.

My conclusion is unless the path of the host file is changed a limited user account would mitigate the said vulnerability.

MLF

[JPnyc]

This script would run in IE only anyway. Firefox doesn't know what an ActiveX object is. You can run this locally if you alter the security permissions in IE (allow active content to run in files on my computer) , but you'll still get a warning. I just tested it.

[oofki]

This is true JP but imagine what could happen to a lot of people if say msnbc.com got hacked or some huge site. People would accept because they "know the site" and A LOT of people could get hijacked real quick.

[JPnyc]

Many people could, yes. Can't believe after all this time that the word isn't out, I mean widespread, of the advantages of surfing with a minimal permissions account. I mean you can render SO many windows holes inert just by doing that one thing. So you have to log on/off to install something, so? How often does one install new software? 10 times a yr?