Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DLL hijacking with Autorun on a USB drive

From: Christian Sciberras <uuf6429 () gmail com>
Date: Wed, 1 Sep 2010 00:59:06 +0200
(and yes, "interpreted data" like shell scripts and Java .class files and Flash
are the sort of neither-fish-nor-fowl that give security models headaches, so
don't bother flaming about that. ;)

OK. Also add exploits in non-executable data as well (such as a certain gif...).


What was your point again?


Cheers.



On Wed, Sep 1, 2010 at 12:56 AM,  <Valdis.Kletnieks () vt edu> wrote:

On Wed, 01 Sep 2010 08:34:47 +1000, paul.szabo () sydney edu au said:

Christian Sciberras <uuf6429 () gmail com> wrote:


Why do you say harmless? Because you know a text file can't do
anything at all.


Exactly. The victim is attempting to view a plain text file. Surely
that can be done safely?


Only if your OS's security model understands the fact that executable code
and data belong in different security domains and thus different rules should
apply about what files to "trust" in each category.

(and yes, "interpreted data" like shell scripts and Java .class files and Flash
are the sort of neither-fish-nor-fowl that give security models headaches, so
don't bother flaming about that. ;)



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: