| VID |
28602 |
| Severity |
20 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
A user is found to have the Internet Explorer "Warn about invalid site certificates" option turned off.
The option "Warn about invalid site certificatese" of Internet Explorer Security options controls whether it should warns users that they are connecting to an SSL site that does not have a valid site certificate, which may indicate that the page being viewed isn't the legitimate page the user requested.
If this setting is disabled, it issues no warning when sending data to a remote site whose security certificate does not match its Internet address, which allows the user to submit confidential data to a non-secure site. By enabling the appropriate settings, you can prevent the attacker from launching further attacks using Internet Explorer.
* References:
http://hq.mcafeeasap.com/vulnerabilities/vuln_data/22000.asp
* Note: This check requires an account with administrative privileges which can log into the host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* Platforms Affected:
Microsoft Internet Explorer Any version |
| Recommendation |
Set the Internet Explorer Option to the appropriate value by using the following steps:
For Internet Explorer 4:
1. Open Internet Explorer.
2. From the View menu, select Internet Options.
3. Click the "Advanced" tab and Scroll down to the "Security" section.
4. Check the box "Warn if changing between secure and not secure mode".
For Internet Explorer 5 - 10:
1. Open Internet Explorer.
2. From the Tools menu, select Internet Options.
3. Click the ¡°Advanced¡± tab and Scroll down to the "Security" section.
4. Check the box "Warn if changing between secure and not secure mode". |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
385 (ISS) |
|
