Re: Third-party application developers and the WMF flaw

[TheGesus <thegesus () gmail com>]

On 1/16/06, Col <colweb () gmail com> wrote:
> On 16/01/06, Richard M. Smith <rms () computerbytesman com> wrote:
> <snip>
> > Are there other security issues in the Windows
> > operating system that need the attention of application developers that
> > Microsoft is not informing developers about?
>
> I would have to say theres quite a few things MS know about and arent
> telling. I have had a consultant brag about being able to compromise
> our whole root AD domain using basic techniques and no tools. All he
> needed was phyisical or RDP access to a DC (in the child domain) using
> a non-privilaged account. He commented "how else do we support a
> customer that has locked themselves out of their domains?"
>
> Makes you worry.

Don't know about that.  I've heard consultants brag about a lot of
things (and I assume bragging is at least 75% of their job duties). 
This sounds like a planted back door account.  However, if there is
more to it and that attack vector actually exists I for one would like
to hear more.  Otherwise it's just FUD.

For the record I have nothing against FUD.   However, I do dislike
dickhead consultants and I agree MS has motives (reasonable or not)
for non-disclosure.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.