| ||
Reference | Link |
---|---|
Security Advisories and Bulletins | |
Microsoft Update | http://www.microsoft.com/athome/security/protect/windowsxp/updates.aspx |
eWeek's "Browser Security" topic page | http://www.eweek.com/category2/0,1874,1744082,00.asp |
IE Bulletins | http://www.microsoft.com/technet/security/current.aspx |
Firefox Bulletins IE IFRAME vulnerability | http://www.mozilla.org/security/announce/MS04-040 |
"Reviewing Code for Integer Manipulation Vulnerabilities" | http://msdn.microsoft.com/library/en-us/dncode/html/secure04102003.asp |
MS04-028 Buffer Overrun in JPEG (GDI+) | http://www.microsoft.com/technet/security/Bulletin/MS04-028.mspx |
"libPNG 1.2.5 stack-based buffer overflow and other code concerns" by Chris Evans | http://scary.beasts.org/security/CESA-2004-001.txt |
MS04-025, includes vulnerabilities in BMP and GIF image handlers | http://www.microsoft.com/technet/security/bulletin/MS04-025.mspx |
MS06-001, WMF vulnerability | http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx |
Firefox IDN URL Domain Name Buffer Overflow | https ://addons.mozilla.org/messages/307259.html |
MS04-013 MHTML/CHM patch | http://www.microsoft.com/technet/security/Bulletin/MS04-013.mspx |
US-CERT Alert on HTML Help ActiveX Control Cross-Domain Vulnerability | http://www.us-cert.gov/cas/techalerts/TA05-012B.html |
Mozilla User Interface Spoofing Vulnerability (XUL) | http://secunia.com/advisories/12188/ |
Browser Exploits | |
"Web browsersa mini-farce" by Michal Zalewski | http://www.securityfocus.com/archive/1/378632/2004-10-15/2004-10-21/0 |
Browser Security Check | http://bcheck.scanit.be/bcheck/ |
Sun Java Plugin arbitrary package access vulnerability | http://jouko.iki.fi/adv/javaplugin.html |
Java Web Start argument injection vulnerability | http://jouko.iki.fi/adv/ws.html |
IE createTextRange exploit by Darkeagle | http://www.milw0rm.com/exploits/1606 |
Berend-Jan Wever's IE IRAME exploit code | http://www.edup.tudelft.nl/~bjwever/exploits/InternetExploiter.zip, |
Firefox Multiple Vulnerabilities, February 2006 | http://secunia.com/advisories/18700/ |
Firefox QueryInterface Code Execution | http://metasploit.com/archive/framework/msg00857.html |
WMF exploit (MetaSploit) | http://metasploit.com/projects/Framework/exploits.html#ie_xp_pfv_metafile |
Microsoft JPEG/GDI+ exploits | http://securityfocus.com/bid/11173/exploit/ |
libPNG exploits | http://www.securityfocus.com/bid/10857/exploit/ |
IE MHTML/CHM vulnerability | http://www.securityfocus.com/archive/1/354447 |
Thor Larholm's description of http-equiv's LMZ bypass using drag-n-drop | http://archives.neohapsis.com/archives/fulldisclosure/2004-10/0754.html |
"Google Desktop Exposed: Exploiting an IEVulnerability to Phish User Information" | http://www.hacker.co.il/security/ie/css_import.html |
Georgi Guninski's showHelp CHM file exploit | http://www.guninski.com/chm3.html |
IE improper URI canonicalization | http://securityfocus.com/bid/9182/ |
FFsniFF, a Firefox extension that steals HTML form submissions | http://azurit.gigahosting.cz/ffsniff/ |
Technical explanation of the MySpace worm by Samy | http://namb.la/popular/tech.html |
Countermeasures | |
Software Restriction Policies (SRP) | http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx |
Bypassing SRP | http://www.sysinternals.com/blog/2005/12/circumventing- group -policy-as-limited.html |
How to strengthen the security settings for the Local Machine Zone in Internet Explorer | http://support.microsoft.com/?kbid=833633 |
UrlActions | http://msdn.microsoft.com/library/default.asp?url=/workshop/security/szone/reference/constants/urlaction.asp. |
Internet Explorer Administration Kit (IEAK) | http://www.microsoft.com/ windows /ieak/techinfo/default.mspx) |
Enhanced Security Configuration (ESC) for IE | http://www.microsoft.com/windowsserver2003/developers/iesecconfig.mspx |
Trickery: Phishing, Adware, and Spyware | |
Anti-Phishing Working Group | http://anti-phishing.org/ |
JunkBusters | http://www.junkbusters.com |
SpywareInfo | http://www.spywareinfo.com |
Spyware Guide | http://www.spywareguide.com |
Computer Associates (CA) Spyware Information Center | http://www. pestpatrol .com/pestinfo |
Free Spyware Scan | http://pestpatrol.com/ |
"How Windows Defender identifies spyware" | http://www.microsoft.com/athome/security/spyware/software/msft/analysis.mspx |
Autostart Extensibility Points (ASEPs) | http://www.pestpatrol.com/PestInfo/AutoStartingPests.asp |
Browser Helper Objects (BHOs) | http://msdn.microsoft.com/library/en-us/dnwebgen/html/bho.asp |
Browser Helper Objects (BHOs), shorter summary | http://www.spywareinfo.com/articles/bho/ |
Spybot Search & Destroy | http://www.safer-networking.org |
Ad-Aware | http://www.lavasoft.de |
Windows Defender | http://www.microsoft.com/athome/security/spyware/software/default.mspx |
Windows Defender compared with other Microsoft anti-spyware and anti-virus technologies | http://www.microsoft.com/athome/security/spyware/software/about/productcomparisons.mspx |
Online Fraud Resources | |
AWPG "Consumer Advice: How to Avoid Phishing Scams" | http://anti-phishing.org/consumer_recs.html |
Internet Crime Complaint Center (rub by the FBI and NW3C) | http://www.ic3.gov/ |
Privacy Rights Clearing House "Identity Theft Resources" | http://www.privacyrights.org/identity.htm |
US Federal Trade Commission (FTC) Identity Theft Site | http://www.consumer.gov/idtheft/ |
General References | |
Java Security FAQ | http://java.sun.com/sfaq/index.html |
Java specifications | http://java.sun.com |
IE's Internet Security Manager Object | http://msdn.microsoft.com/workshop/security/szone/reference/objects/internetsecuritymanager.asp |
Compressed HTML Help (CHM) | http://en.wikipedia.org/wiki/Microsoft_Compressed_HTML_Help |
"Cross-Site Cooking" by Michal Zalewski | http://www.securityfocus.com/archive/107/423375/30/0/threaded |
"JavaScript: How Did We Get Here?" by Steve Champeon | http://www.oreillynet.com/pub/a/javascript/2001/04/06/js_history.html |
showHelp Method | http://msdn.microsoft.com/workshop/author/dhtml/reference/ methods /showhelp.asp |
Component Security for Mozilla | http://www.mozilla.org/projects/security/ components /design.html |
How to read e-mail messages in plain text using Microsoft products | http://www.microsoft.com/athome/security/online/browsing_safety.mspx#3 |
How to use IE Security Zones | http://support.microsoft.com/?kbid=174360 |
Kill-bit'ing ActiveX controls | http://support.microsoft.com/?kbid=240797 |
| ||