Re: Winnt/Win2k Vuln ?

[Ben Ford <bford () erisksecurity com>]

David Schwartz wrote:

> > Think that is scary?  I cannot state about the current browser, but
> > previous versions bypassed a lot of the NT security features.  Happens
> > when the browser is made an integral part of the OS - but for legal
> > reasons and with apparently little concerns to security ones.
>
>         I would say the reverse would be more of a security problem. You'd prefer
> that somebody could create a web site with the same name as one of your
> files and when you ask for the file, you get the web site?
>
>         If you care about security, enter fully-qualified URLs, don't use
> abbreviations. Any scheme to accept abbreviations will sometimes fail to get
> you what you want. For example, what will your browser do if you just type
> in "ftp.mydomain.com"? Will it take it as "http://ftp.mydomain.com";? Or will
> it take it as "http://ftp.mydomaincom";? If you don't know and understand the
> rules for expanding abbreviations, don't use abbreviations.
>
>         I only wish you could disable them. Both IE and Netscape have done things I
> didn't expect more than once.
>
>         DS

The browser should not be the file manager.  That is all there is to it.

-b

--
Fly Windows NT:
All the passengers carry their seats out onto the tarmac, placing the chairs
in the outline of a plane. They all sit down, flap their arms and make jet
swooshing sounds as if they are flying.