Full Disclosure mailing list archives
Re: verizon vs m$
From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Tue, 7 Dec 2010 19:17:24 +0000
On Tue, 07 Dec 2010 07:16:34 EST, Larry Seltzer said:2. some interpret it as a feature and some as a bug?Does it have to be either?It sounds to me as if this is a deliberate design decision, and people are disagreeing over the severity of its implications.Some people refer to that as a "feee-tchure" or "Broken As Designed". It's technically not a bug, but it does violate the Principle of Least Surprise.
Or, some people (like Larry) don't have a hyperbolic approach to exploit vector details. I like Larry's approach, and consider it the most accurate comment thus far (including my own). Rather than actual white papers and references to M$ and "Exploder," this entire "vector" can be summarized in one sentence: If you are running Vista+, and are on a domain, and have not altered the PM defaults, and if you have an unpatched vulnerability in IE that allows an attacker to remotely install a web service that runs on localhost and redirects your browser to that service, and the vulnerability is capable of being re-exploited, then the web service code could launch other code that runs in the Intranet zone with associated security settings that would run in the context of the local user. It could even be shorted to: The Intranet Zone has Protected Mode disabled, Internet zone does not. If you are worried about your domain users being exploited by unknown vulnerabilities that could be launched in the Intranet zone, then add localhost to your restricted zone. Since they are on a domain, this is a trivial task. Is this where the industry is now? If I wrote a similar white paper that applied to open source products and posted it here, I would be appropriately ridiculed off the list. I'll actually take this as a sign of progress - when the only way Guninski can get his "M$ Exploder" comments in is to reference other people's research-in-the-obvious and have something so trite be referred to as "Broken by Design" then it proves two things: Security is getting better, and people could not care less. t _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Fwd: verizon vs m$, (continued)
- Re: Fwd: verizon vs m$ Thor (Hammer of God) (Dec 06)
- Re: verizon vs m$ Dan Kaminsky (Dec 06)
- Re: verizon vs m$ Thor (Hammer of God) (Dec 06)
- Re: verizon vs m$ Dan Kaminsky (Dec 06)
- Re: verizon vs m$ Thor (Hammer of God) (Dec 06)
- Re: verizon vs m$ Thor (Hammer of God) (Dec 06)
- Re: verizon vs m$ Georgi Guninski (Dec 07)
- Re: verizon vs m$ Dan Kaminsky (Dec 07)
- Re: verizon vs m$ Larry Seltzer (Dec 07)
- Re: verizon vs m$ Valdis . Kletnieks (Dec 07)
- Re: verizon vs m$ Dan Kaminsky (Dec 07)
- Re: verizon vs m$ Thor (Hammer of God) (Dec 07)
- Re: verizon vs m$ Marsh Ray (Dec 07)
- Re: verizon vs m$ Christian Sciberras (Dec 07)
- Re: verizon vs m$ Georgi Guninski (Dec 08)
- Re: verizon vs m$ Dan Kaminsky (Dec 07)