Full Disclosure mailing list archives

Re: Gates: 'You don't need perfect code' for good security

From: Valdis.Kletnieks () vt edu
Date: Sun, 02 Nov 2003 22:09:35 -0500

On Mon, 03 Nov 2003 12:23:06 +1300, Nick FitzGerald <nick () virus-l demon co uk>  said:

lots of exploits "abstracted" from those APIs.  For example, an awful 
lot of IE vulns can only be easily (and thus "usefully") leveraged 
because it is (well, was -- this is a Win9x example) easy to assume 
that any kind of program code that could be dropped into 
c:\windows\start menu\programs\startup would be run next startup.  
Finding the actual location of the startup folder was beyond the 
exploit because it was running in an environment that could not query 
the registry or other system APIs that would reveal the location.


And for bonus points, explain how you fix the scheme so the poor sysadmin who
has to run stuff at startup is able to find the folder, but an exploit running
with 'administrator' or 'system' can't find it?

Attachment: _bin
Description:

Current thread:

Re: Gates: 'You don't need perfect code' for good security, (continued)
- - - Re: Gates: 'You don't need perfect code' for good security Matthew Murphy (Nov 02)
    - Re: Gates: 'You don't need perfect code' for good security Geoincidents (Nov 02)
    - Re: Gates: 'You don't need perfect code' for good security George Capehart (Nov 03)
    - Re: Gates: 'You don't need perfect code' for good security Geoincidents (Nov 03)
    - Re: Gates: 'You don't need perfect code' for good security George Capehart (Nov 03)
    - Re: Gates: 'You don't need perfect code' for good security Geoincidents (Nov 04)
    - Re: Gates: 'You don't need perfect code' for good security Valdis . Kletnieks (Nov 04)
    - Re: Gates: 'You don't need perfect code' for good security Dave Howe (Nov 04)
    - Re: Gates: 'You don't need perfect code' for good security George Capehart (Nov 04)
    - Re: Gates: 'You don't need perfect code' for good security Nick FitzGerald (Nov 02)
    - Re: Gates: 'You don't need perfect code' for good security Valdis . Kletnieks (Nov 02)
    - Re: Gates: 'You don't need perfect code' for good security Frank Knobbe (Nov 02)
    - Re: Gates: 'You don't need perfect code' forgood security Lan Guy (Nov 03)
    - Re: Gates: 'You don't need perfect code' for good security Nick FitzGerald (Nov 02)
    - Re: Gates: 'You don't need perfect code' for good security Darren Reed (Nov 02)
    - Re: Gates: 'You don't need perfect code' for good security Cedric Blancher (Nov 02)
  - RE: Gates: 'You don't need perfect code' for good security Ron DuFresne (Nov 03)
    - Re: Gates: 'You don't need perfect code' for good security Valdis . Kletnieks (Nov 03)
- Re: Re: Gates: 'You don't need perfect code' for good security Geoincidents (Oct 31)
  - Re: Re: Gates: 'You don't need perfect code' for good security Gary E. Miller (Oct 31)
    - Re: Re: Gates: 'You don't need perfect code' for good security Geoincidents (Oct 31)

(Thread continues...)