| VID |
28600 |
| Severity |
20 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
A user is found to have the Internet Explorer "Do not save encrypted pages to disk" option turned off.
The option "Do not save encrypted pages to disk" of Internet Explorer Security Options controls whether web pages encrypted using Secure Sockets Layer (SSL) should be stored on the hard disk in the temporary Internet file.. If this setting is disabled, Internet Explorer allows secure content to be saved on the local file system in non-encrypted or non-secure form. By enabling the appropriate settings, you can prevent the attacker from launching further attacks using Internet Explorer.
* Note: This check requires an account with administrative privileges which can log into the host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* References:
http://hq.mcafeeasap.com/vulnerabilities/vuln_data/22000.asp
http://msdn.microsoft.com/workshop/security/szone/overview/esc_changes.asp
http://www.winguides.com/registry/category.php?612
* Platforms Affected:
Microsoft Internet Explorer Any version |
| Recommendation |
Set the Internet Explorer Option to the appropriate value by using the following steps:
For Internet Explorer 4:
1. Open Internet Explorer.
2. From the View menu, select Internet Options.
3. Click the "Advanced" tab and Scroll down to the "Security" section.
4. Check the box "Do not save encrypted pages to disk".
For Internet Explorer 5 - 10:
1. Open Internet Explorer.
2. From the Tools menu, select Internet Options.
3. Click the ¡°Advanced¡± tab and Scroll down to the "Security" section.
4. Check the box "Do not save encrypted pages to disk". |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
356 (ISS) |
|
