Secure Coding mailing list archives

4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code

From: ljknews at mac.com (ljknews)
Date: Thu, 6 Apr 2006 22:59:13 -0400

At 1:57 PM +0100 4/6/06, Dinis Cruz wrote:

At least one aspect of that is a design defect in TCP/IP, allowing
unprivileged users to create a port to receive inbound connections.

If an application is a File Compression utility, then there is no reason
why it should have access to the TCP stack. And if they do need access to
it (for example to check for updates), then those exceptions should be
very well controlled and monitored.


The problem then, is how to prevent an unprivileged user from setting up
a File Compression utility to access TCP and establish a port to which
an incoming connection can be made without authentication.

This is back to the issue of which programs can be trusted -- and the
answer to that should be _not_ programs provided by an unprivileged user.
-- 
Larry Kilgallen

Current thread:

4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Dinis Cruz (Apr 06)
- 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code ljknews (Apr 06)
- <Possible follow-ups>
- 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Dinis Cruz (Apr 06)
  - 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code ljknews (Apr 06)
    - 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code der Mouse (Apr 07)