Secure Coding mailing list archives
Re: Re: DJB's students release 44 poorly-worded, overblown advisories
From: ljknews <ljknews () mac com>
Date: Wed, 22 Dec 2004 16:05:28 +0000
At 11:54 PM -0800 12/21/04, Crispin Cowan wrote:
ljknews wrote:On most important systems there is no need for the users to be able to provide executable which they then run. Executables are provided by the system manager.While I am sympathetic to this point of view, it is no longer relevant to the modern context, where many data formats end up being executable, e.g. Office documents with executable macros in them.
Executable data formats have proven impossible to secure, starting with the defect IBM introduced into CMS allowing text formatters run in response to email documents and thus make system calls. The fact that Microsoft would copy this security hole into Word 6 certainly indicates they are not able to learn from mistakes made by others - they must reinvent the same mistakes. IBM withdrew their error.
Securing a MAC system in which the users are hog-tied is easy. The trick is to provide reasonable security *and* reasonable usability.
There ain't no such thing as a free beer. -- Larry Kilgallen
Current thread:
- [Fwd: DJB's students release 44 *nix software vulnerability advisories] Gadi Evron (Dec 18)
- Re: DJB's students release 44 poorly-worded, overblown advisories Paco Hope (Dec 20)
- Re: DJB's students release 44 poorly-worded, overblown advisories ljknews (Dec 20)
- Re: Re: DJB's students release 44 poorly-worded, overblown advisories Crispin Cowan (Dec 22)
- Re: Re: DJB's students release 44 poorly-worded, overblown advisories ljknews (Dec 22)
- Re: DJB's students release 44 poorly-worded, overblown advisories ljknews (Dec 20)
- Re: Re: DJB's students release 44 poorly-worded, overblown advisories Crispin Cowan (Dec 20)
- Re: Re: DJB's students release 44 poorly-worded, overblownadvisories Paco Hope (Dec 20)
- Re: Re: DJB's students release 44 poorly-worded, overblown advisories Crispin Cowan (Dec 22)
- Re: DJB's students release 44 poorly-worded, overblown advisories Paco Hope (Dec 20)
- Re: DJB's students release 44 poorly-worded, overblown advisories dtalk-ml (Dec 20)
- <Possible follow-ups>
- RE: [Fwd: DJB's students release 44 *nix software vulnerability advisories] Shea, Brian A (Dec 20)
- RE: [Fwd: DJB's students release 44 *nix software vulnerability advisories] ljknews (Dec 20)
- Re: [Fwd: DJB's students release 44 *nix software vulnerability advisories] Crispin Cowan (Dec 21)