Secure Coding mailing list archives
4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code
From: ljknews at mac.com (ljknews)
Date: Thu, 6 Apr 2006 22:59:13 -0400
At 1:57 PM +0100 4/6/06, Dinis Cruz wrote:
At least one aspect of that is a design defect in TCP/IP, allowing unprivileged users to create a port to receive inbound connections.
If an application is a File Compression utility, then there is no reason why it should have access to the TCP stack. And if they do need access to it (for example to check for updates), then those exceptions should be very well controlled and monitored.
The problem then, is how to prevent an unprivileged user from setting up a File Compression utility to access TCP and establish a port to which an incoming connection can be made without authentication. This is back to the issue of which programs can be trusted -- and the answer to that should be _not_ programs provided by an unprivileged user. -- Larry Kilgallen
Current thread:
- 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Dinis Cruz (Apr 06)
- 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code ljknews (Apr 06)
- <Possible follow-ups>
- 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Dinis Cruz (Apr 06)
- 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code ljknews (Apr 06)