What this all boils down to is that when you add a site to the Trusted Zone you are giving it additional privileges - this is by design and not a vulnerability. You can read more about IE Security Settings at http://www.microsoft.com/windows/ie/using/howto/security/settings.asp from which we can also read about the Trusted Zone that you should: "Add a site to this zone only if you trust that it would never cause harm to your computer." Giving any site additional executional privileges means that you are extending your level of trust. You are trusting that the site in question does not get compromised and have its content replaced with malicious code, and you are trusting that the site does not have any XSS errors that would allow harmful code injection into the HTML stream. There are no sites in the Trusted Zone on a default installation so the impact is significantly lowered. However, Windows Update is hardcoded to have additional privileges so if you want to try and practically abuse the level of trust you would have better luck in trying to find XSS errors on the Windows Update site or find ways to beat the URL parsing algorithm that detects whether IE is on the Windows Update site or not. Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com thor@pivx.com 949-231-8496 PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of Qwik-Fix <http://www.qwik-fix.net> -----Original Message----- From: http-equiv@excite.com [mailto:1@malware.com] Sent: Friday, December 26, 2003 9:02 AM To: bugtraq@securityfocus.com Cc: NTBugtraq@listserv.ntbugtraq.com Subject: DANGER ZONE: Internet Explorer <snip http://www.securityfocus.com/archive/1/348363/2003-12-26/2004-01-01/0> <snip http://tinyurl.com/3eldd>
