Secure Coding mailing list archives
4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code
From: ljknews at mac.com (ljknews)
Date: Thu, 6 Apr 2006 22:54:51 -0400
At 1:51 PM +0100 4/6/06, Dinis Cruz wrote:
ljknews wrote: At 11:39 AM +0000 3/25/06, Dinis Cruz wrote: 3) Since my assets as a user exist in user land, isn't the risk profile of malicious unmanaged code (deployed via IE/Firefox) roughly the same if I am running as a 'low privileged' user or as administrator? (at the If the administrator's assets are compromised, all users of the system will have their assets compromised. Sure, but if the main assets exist within that user's space, then the risk is similar.
No, the only thing at risk is the assets of _that_ user, not the other users.
Certainly users should not store credentials in software on a computer. Ok, but this is impossible today (at least in Windows).
Windows ? Is that the operating system whose publisher just said it is hopeless to clean up after a successful attack ?
If one is not the administrator, there should be no way to install software. If there is, the operating system is underprotected. Who said that?
William H. Murray of Deloitte and Touche.
I might not be able to put it in under the 'Program files' folder, add files to the windows directory or write to some sections of the registry. But since you can run executables, you can perform all sorts of malicious actions.
His ideal model is a machine where the users have no ability to execute a program they introduce to the machine. There is a strict boundary between programs and data. But he is talking about real security, not Windows. -- Larry Kilgallen
Current thread:
- 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Dinis Cruz (Apr 06)
- 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code ljknews (Apr 06)
- <Possible follow-ups>
- 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Dinis Cruz (Apr 06)