Full Disclosure mailing list archives

Re: verizon vs m$

From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Mon, 6 Dec 2010 16:57:44 +0000

-----
Finally, Microsoft and other software vendors should clearly document
which features do and do not have associated security claims. Clearly
stating which features make security claims, and which do not, will allow

informed decisions to be made on IT security issues.

-----

From 2007:


http://www.networkworld.com/news/2007/021407-microsoft-uac-not-a-
security.html

"Vista makes tradeoffs between security and convenience, and both UAC
and Protected Mode IE have design choices that required paths to be
opened in the IL wall for application compatibility and ease of use,"
he wrote.

Because the boundaries defined by UAC and Protected Mode IE are
designed to be porous, they can't really be considered security barriers, he
said. "Neither UAC elevations nor Protected Mode IE define new Windows
security boundaries," Russinovich wrote. "Because elevations and ILs don't
define a security boundary, potential avenues of attack, regardless of ease or
scope, are not security bugs."

He said Microsoft had communicated this in the past, but that the point
needed reiterating.

(Note that Russinovich is properly cited in the Verizon Business report -- just
pointing out that this has come up before.)


Did you read the Reg article?  It has nothing to do with the definition of a "security boundary."  It's not about that 
at all.  It's about a title tease of "bypassing protected mode" with associated inaccurate content when the whole thing 
could be summarized with "Protected Mode is not enabled by default in the Intranet zone."  The "boundary" conversation, 
while interesting, is irrelevant here.

I know times are tough and click-throughs on ads need to be maximized, but I don't think misrepresentation of technical 
content is appropriate.  I can understand why the Reg would write the article, but I asked Guninski if the reason he 
posted it was because he considered Protected Mode being disabled by default in the Intranet zone some sort of security 
issue.

t 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

verizon vs m$ Georgi Guninski (Dec 05)
- Re: verizon vs m$ Thor (Hammer of God) (Dec 05)
  - Re: verizon vs m$ Larry Seltzer (Dec 05)
  - Re: verizon vs m$ Georgi Guninski (Dec 06)
  - Re: verizon vs m$ Ven Ted (Dec 06)
    - Re: verizon vs m$ Thor (Hammer of God) (Dec 06)
    - Re: verizon vs m$ John Lightfoot (Dec 06)
    - Message not available
    - Fwd: verizon vs m$ Ven Ted (Dec 06)
    - Re: Fwd: verizon vs m$ Thor (Hammer of God) (Dec 06)
- Re: verizon vs m$ Dan Kaminsky (Dec 06)
  - Re: verizon vs m$ Thor (Hammer of God) (Dec 06)
    - Re: verizon vs m$ Dan Kaminsky (Dec 06)
    - Re: verizon vs m$ Thor (Hammer of God) (Dec 06)
- Re: verizon vs m$ Georgi Guninski (Dec 07)
  - Re: verizon vs m$ Dan Kaminsky (Dec 07)
    - Re: verizon vs m$ Larry Seltzer (Dec 07)
    - Re: verizon vs m$ Valdis . Kletnieks (Dec 07)
    - Re: verizon vs m$ Dan Kaminsky (Dec 07)
    - Re: verizon vs m$ Thor (Hammer of God) (Dec 07)
    - Re: verizon vs m$ Marsh Ray (Dec 07)
    - Re: verizon vs m$ Christian Sciberras (Dec 07)

(Thread continues...)