Full Disclosure mailing list archives
Re: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code
From: "Brian Eaton" <eaton.lists () gmail com>
Date: Mon, 27 Mar 2006 10:07:13 -0500
On 3/27/06, Pilon Mntry <pilonmntry () yahoo com> wrote:
What about using the facilities already provided by the OS to enforce the sandbox?But then will it be possible to prevent buffer overflows, still running on unmanaged code?
No. You could use PAX or the like to try to make buffer overflows less exploitable, but mandatory access controls have a different focus. Mandatory access controls kick in when the exploit has done its work and is now executing arbitrary code in the context of your browser. The access controls operate at the kernel level to prevent the code from performing system calls that haven't been explicitly allowed. In the case of the calculator demo for the createTextRange vulnerability, the attempt to execute the calculator would have failed, because the browser would not have permission to execute arbitrary files. I wasn't sure if Windows actually supported mandatory access controls, so I poked around on Microsoft's web site a bit. Yes, Windows supports MAC. Even better, IE 7 will include a "protected" mode that uses MAC to lock down the browser. This is a step in the right direction. http://tinyurl.com/ncp35 In his original note, Dinis raised a good point: even a restricted browser has access to all kinds of sensitive personal information, such as passwords to web sites. MAC would not prevent an exploit from stealing that kind of data. Regards, Brian _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Dinis Cruz (Mar 25)
- RE: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Jeff Williams (Mar 25)
- Re: [Owasp-dotnet] RE: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Dinis Cruz (Mar 26)
- Re: Re: [Owasp-dotnet] RE: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Joe Ciechanowski (Mar 31)
- Message not available
- Re: Re: [Owasp-dotnet] RE: 4 Questions: Latest IEvulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Saqib Ali (Mar 31)
- Re: [Owasp-dotnet] RE: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Dinis Cruz (Mar 26)
- RE: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Jeff Williams (Mar 25)
- Re: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Brian Eaton (Mar 25)
- Re: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Pilon Mntry (Mar 26)
- Re: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Christopher Bergström (Mar 27)
- Re: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Brian Eaton (Mar 27)
- Re: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Pavel Kankovsky (Mar 27)
- Re: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Brian Eaton (Mar 27)
- Re: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Pavel Kankovsky (Mar 28)
- Re: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Brian Eaton (Mar 29)
- Re: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Pilon Mntry (Mar 26)
- Re: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Brian Eaton (Mar 27)
- Re: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Pavel Kankovsky (Mar 28)
- Re: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code michaelslists (Mar 28)
- Re: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Andrew van der Stock (Mar 28)