Full Disclosure mailing list archives
FFSpy Buster : Duarte Silva announces that the security of most software allowing plugins such as vim, emacs, gnome, eclipse, etc. is flawed
From: David Blanc <davidblanc1975 () gmail com>
Date: Fri, 29 May 2009 20:59:12 +0530
Duarte Silva, the creator of the so-called FFSpy PoC seems to be suggesting that the plugin mechanism of most software which allows a user to run a plugin in the context of the user running the software is flawed. First of all, here is the lame PoC for those who want to read it: http://myf00.net/?p=18 You can see a few comments where people are trying to ask how exactly the attack is carried out. However, Duarte has been giving lame responses such as: "True. But is also interesting to see that there isn’t nothing to ensure the user the plug-in isn’t changed." In his wrap up blog at http://myf00.net/?p=97 he seems to suggest that the existing plugin or add on mechanism of most software is flawed. Do read his comments at the end of the blog. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- FFSpy Buster : Duarte Silva announces that the security of most software allowing plugins such as vim, emacs, gnome, eclipse, etc. is flawed David Blanc (May 29)