WebApp Sec mailing list archives
Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code
From: Pavel Kankovsky <peak () argo troja mff cuni cz>
Date: Mon, 27 Mar 2006 23:55:50 +0200 (MET DST)
On Mon, 27 Mar 2006, Brian Eaton wrote:
I wasn't sure if Windows actually supported mandatory access controls, so I poked around on Microsoft's web site a bit. Yes, Windows supports MAC.
MS Windows does not support MAC. Its future version (i.e. Vista) might support some half-baked (*) pseudo-MAC. (*) Where's the *-property? Everything I see is the ss-property. Any idiot can implement a lame wannabe pseudo-MAC lacking the *-property but such a thing cannot be the true mandatory access control, it'd be mere DAC on steroids!
In his original note, Dinis raised a good point: even a restricted browser has access to all kinds of sensitive personal information, such as passwords to web sites. MAC would not prevent an exploit from stealing that kind of data.
Nonsense. MAC was invented by soldiers and spooks to protect confidentiality. (The use of MAC to protect integrity is, in fact, an afterthought.) Properly implemented and configured MAC can prevent the leakage of confidential (i.e. sensitive personal) information to (unauthorized) web sites. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation." ------------------------------------------------------------------------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Dinis Cruz (Mar 25)
- RE: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Jeff Williams (Mar 25)
- Re: [Owasp-dotnet] RE: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Dinis Cruz (Mar 27)
- Re: [Full-disclosure] Re: [Owasp-dotnet] RE: 4 Questions: Latest IEvulnerability, Firefox vs IE security, User vs Admin risk profile,and browsers coded in 100% Managed Verifiable code Joe Ciechanowski (Mar 31)
- Re: [Full-disclosure] Re: [Owasp-dotnet] RE: 4 Questions: Latest IEvulnerability, Firefox vs IE security, User vs Admin risk profile,and browsers coded in 100% Managed Verifiable code Saqib Ali (Mar 31)
- Re: [Owasp-dotnet] RE: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Dinis Cruz (Mar 27)
- RE: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Jeff Williams (Mar 25)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Valdis . Kletnieks (Mar 25)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Brian Eaton (Mar 25)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Pilon Mntry (Mar 27)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Brian Eaton (Mar 27)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Pavel Kankovsky (Mar 27)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Brian Eaton (Mar 27)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefoxvs IE security, User vs Admin risk profile, and browsers coded in 100%Managed Verifiable code Pavel Kankovsky (Mar 28)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Pavel Kankovsky (Mar 28)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability,Firefox vs IE security, User vs Admin risk profile,and browsers coded in 100% Managed Verifiable code Brian Eaton (Mar 29)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Brian Eaton (Mar 29)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Pilon Mntry (Mar 27)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Brian Eaton (Mar 27)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Pavel Kankovsky (Mar 28)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code michaelslists (Mar 28)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Andrew van der Stock (Mar 28)