Re: adobe.com important subdomain SQL injection again!

[Marsh Ray <marsh () extendedsubset com>]

On 12/19/2010 09:32 PM, John Jester wrote:
> Sandboxing the plug-in from your system fixes it I believe. It's so
> futile sandboxing it was key.

OK, so if sandboxing works, then why not just let devs build x86/x64 
code in the first place? In the same category as Native Client or ActiveX.

Maybe because sandboxing isn't going to work so well?

> And security, hell a multi-billion dollar company can't keep it from
> gobbling up 100% cpu in some instances. Huge note: over the years has
> been massive improvement in both performance and security.

I wonder how much of that is the game or app itself in a tight loop. CPU 
is, after all, there to be used.

> It's not hopeless or futile, but come on, it's like the titanic.

Remember chapter 1 of the textbook when it said "The first rule of 
security is never try to retrofit security, _ever_!!" and underlined it 
three times?

Well see back in 1996 there were these really popular animation and 
multimedia CD-ROM authoring packages and... the rest is history.

- Marsh

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/