RE: Important to disable scripting in IE again.

Should users also be advised to shut off their email because they may be exposed to a phishing attack?  Like most things in life, there are some risks associated with the Internet.  The answer is knowledge and exercising caution, not denying the user access to a significant part of the web.  It is not a matter of "... should be allowed ...", reality is many high quality professional sites use scripting.  Only a tiny fraction of a fraction of the web presents any risk to the user.  Are you suggesting that users should deny themselves access to a large part of the web because of the extremely small chance of being exposed to this cross-domain vulnerability?  There are less restrictive preventative measures available.

Users should be informed to install and maintain anti-virus and firewall software as well as to stay current with patches and service packs.  None of these solutions, including disabling Active scripting, can totally eliminate the potential for harmful things happening.  Knowing all the available options allows users to choose just how much they want to restrict their access to the Internet.

Kurt Mattes
Application Development Analyst - Lead Developer
[302] 282-1414
Kurt_Mattes@BankOne.com



-----Original Message-----
From: w3c-wai-ig-request@w3.org [mailto:w3c-wai-ig-request@w3.org]On
Behalf Of David Woolley
Sent: Saturday, June 12, 2004 4:30 AM
To: w3c-wai-ig@w3.org
Subject: Important to disable scripting in IE again.



For those who believe that web sites should be allowed to rely on scripting,
CERT, one of the most respected internet security organisations, is 
currently advising that scripting (and ActiveX) be disabled for the internet
security zone (i.e. any zone that is not fully trusted).  This is because
of a vulnerability that is being actively exploited, and which allows 
arbitrary code to be run on a machine accessing a rogue web site.  Remember
that access can be the result of typos in URLs and following misleading
hits from search engines, even if you wouldn't deliberately visit dodgy
sites (there are also more technical ways of misdirecting users).

<http://www.us-cert.gov/cas/techalerts/TA04-163A.html>



**********************************************************************
This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you
**********************************************************************

Received on Monday, 14 June 2004 07:59:24 UTC