A quote from: catch

"Run IE as a less privileged user, all bugs fixed without patching. Gee that was tough."


This kid below is telling me it doesn't matter If I run on a XP limited account, nor if I use a hardened IE. I will assume catch is right here, not the kid can anyone sort this out? & simplify it.

thanks



A quote from: KID
The problem is not with the account...it's the fact that IE, which operates with the OS at the system level, can be used to attain system level privileges or root which you may have heard of jacka*s

The user is not the problem if the browser is calling functions at the system level. Just because the browser is opened by the user does not mean that all functions run by the browser are also run as that user...they're run on the system level. Say you hit a website and IE is trying to interpret script, the function to process that code is passed in a system level process. If that process executes code which is able to exploit a vulnerability in the OS the result could be system level privileges to execute the code of choice, the box is owned - root has been owned...because the process operates at the system level, which is independent of who is logged in or what rights they have. If they can run IE the problem still exists. Sure you could limit the users to be unable to run IE but that's not a very good solution. The culprit here is the OS itself...not the user. Patch the box!