| VID |
28617 |
| Severity |
20 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
Internet Explorer 'Software channel permissions' option is set less than the value defined in the security policy. Malicious program may be automatically downloaded and installed on the local computer.
Internet Explorer includes five predefined zones: Internet, Local Intranet, Trusted Sites, Restricted Sites, and My Computer. User can set the security options that user wants for each zone, and then add or remove Web sites from the zones, depending on your level of trust in a Web site. This option for each security zone manages whether or not the web browser should automatically install software updates from the HTML page that contains the channel content in the security zone. This options has these settings:
1. High safety, which prevents users from being notified of software updates by e-mail, software packages from being automatically downloaded and installed on user's system.
2. Low safety, which notifies users of software updates by e-mail, software packages to be automatically downloaded and installed on user's system.
3. Medium safety, which notifies users of software updates by e-mail and software packages to be automatically downloaded(but not installed on) to user's system.
Malicious channel content may be automatically downloaded and installed, although the user dose not know.
* Note: This check requires an account with Guest or upper privileges which can access the registry of the remote host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts. Unless the user applies the new policy of security zones, the default value of this option is set to the default setting value of the security zone that applied in Internet Explorer 5.
* References:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;182569
http://support.microsoft.com/default.aspx?scid=kb;EN-US;174360
http://support.microsoft.com/default.aspx?scid=kb;EN-US;300443
http://www.microsoft.com/technet/archive/ie/reskit/ie4/part7/part7a.asp
* Platforms Affected:
Microsoft Internet Explorer Any version
Windows Any version |
| Recommendation |
Configure the security settings within Internet Explorer to satisfy the recommended policy below or your security policy by performing the following steps:
For Internet Explorer 4:
1. Open Internet Explorer.
2. From the View menu, select Internet Options.
3. Click the "Security" tab and then select the appropriate zone.
4. Click the "Custom" and click the "Setting".
5. Set the "Software channel permissions" to your security policy. Or set back to the recommended policy as the followings:
- Local Intranet, Internet: Medium safety
- Trusted Sites: Low safety
- Restricted Sites: High safety
For Internet Explorer 5 - 10:
1. Open Internet Explorer.
2. From the Tools menu, select Internet Options.
3. Click the ¡°Security¡± tab and then select the appropriate zone.
4. Click the "Custom Level".
5. In the Miscellaneous area, set the "Software channel permissions" to your security policy. Or set back to the recommended policy as the followings:
- Local Intranet, Internet: Medium safety
- Trusted Sites: Low safety
- Restricted Sites: High safety |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
379 (ISS) |
|
