4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code

[dinis at ddplus.net (Dinis Cruz)]

Comment inline,

ljknews wrote:
> At 11:39 AM +0000 3/25/06, Dinis Cruz wrote:
>   
> > 3) Since my assets as a user exist in user land, isn't the risk profile
> > of malicious unmanaged code (deployed via IE/Firefox) roughly the same
> > if I am running as a 'low privileged' user or as administrator? (at the
> >     
>
> If the administrator's assets are compromised, all users of the system
> will have their assets compromised.
>   
Sure, but if the main assets exist within that user's space, then the
risk is similar. 

Look at your own computer, even if you use a non-admin account (like I
am doing at the moment in my PowerBook G4), if a malicious attacker is
after your assets (email, VPNs, documents, Credit Card details, access
to your online banking accounts,  attack other computers on your local
network, etc...) then he can do all that from user-land (there is no
need for admin privileges)
> > end of the day, in both cases the malicious code will still be able to:
> > access my files, access all websites that I have stored credentials in
> > my browser (cookies or username / passwords pairs), access my VPNs,
> >     
>
> Certainly users should not store credentials in software on a computer.
>   
Ok, but this is impossible today (at least in Windows). In a normal user
session, you will have credentials (or equivalent) in multiple user-land
processes. From login accounts used in your Browser to valid Kerberous
tickets (or more to the point, valid windows security handles (i.e.
tokens) which are as good as a stored credentials).

The bottom line is, if your browser can do it, so can malicious code
executed via your browser.
> > attack other computers on the local network, install key loggers,
> >     
>
> If one is not the administrator, there should be no way to install
> software.  If there is, the operating system is underprotected.
>   
Who said that? I might not be able to put it in under the 'Program
files' folder, add files to the windows directory or write to some
sections of the registry. But since you can run executables, you can
perform all sorts of malicious actions.

A good example are .Net applications which can be executed with no
installation.
> > establish two way communication with a Internet based boot net, etc ...
> >     
>
> At least one aspect of that is a design defect in TCP/IP, allowing
> unprivileged users to create a port to receive inbound connections.
> Other networking protocols avoid that flaw.
>   
This is not a design flaw with TCP/IP, the problem here is that the OS
and the run-time-Sandbox (if there is one) are allowing this to occur.

Remember that if I can talk HTTP with an external computer (located
somewhere in the Internet), then I can use it to establish a two
communication channel.

Can you really defend that all applications that are executed in our
computers (from winzip upwards) should be able to connect to the
internal, download code and execute it with the privileges of the logged
in user?

Because that is what they can do today (if that computer is connected to
the Internet :)

Dinis Cruz
Owasp .Net Project
www.owasp.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20060406/6b9e466c/attachment.html