Secure Coding mailing list archives
Bugs and flaws
From: crispin at novell.com (Crispin Cowan)
Date: Fri, 03 Feb 2006 12:12:08 -0800
Gary McGraw wrote:
To cycle this all back around to the original posting, lets talk about the WMF flaw in particular. Do we believe that the best way for Microsoft to find similar design problems is to do code review? Or should they use a higher level approach? Were they correct in saying (officially) that flaws such as WMF are hard to anticipate?
I have heard some very insightful security researchers from Microsoft pushing an abstract notion of "attack surface", which is the amount of code/data/API/whatever that is exposed to the attacker. To design for security, among other things, reduce your attack surface. The WMF design defect seems to be that IE has too large of an attack surface. There are way too many ways for unauthenticated remote web servers to induce the client to run way too much code with parameters provided by the attacker. The implementation flaw is that the WMF API in particular is vulnerable to malicious content. None of which strikes me as surprising, but maybe that's just me :) Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Olympic Games: The Bi-Annual Festival of Corruption
Current thread:
- Bugs and flaws, (continued)
- Bugs and flaws Jeff Williams (Feb 02)
- Bugs and flaws John Steven (Feb 02)
- Bugs and flaws der Mouse (Feb 02)
- Bugs and flaws Wietse Venema (Feb 03)
- Bugs and flaws Greg Beeley (Feb 03)
- Bugs and flaws Brian Chess (Feb 02)
- Bugs and flaws Gary McGraw (Feb 02)
- Bugs and flaws Jeff Williams (Feb 02)
- Bugs and flaws Gary McGraw (Feb 03)
- Bugs and flaws James Stibbards (Feb 03)
- Bugs and flaws Crispin Cowan (Feb 03)
- Bugs and flaws Dana Epp (Feb 03)
- Bugs and flaws Crispin Cowan (Feb 07)
- Bugs and flaws Nick FitzGerald (Feb 03)
- Bugs and flaws Brian Chess (Feb 03)
- Bugs and flaws Nick FitzGerald (Feb 03)
- Bugs and flaws Evans, Arian (Feb 06)
- Bugs and flaws Evans, Arian (Feb 06)
- Where to read about construction quality software ljknews (Feb 06)
- Bugs and flaws Gary McGraw (Feb 06)
- Bugs and flaws Jeff Williams (Feb 07)