| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: smenard at nbnet.nb.ca (smenard) Subject: IT IS POSSIBLE "driveby download" OK I have been bitten too, luckily when they do they try to access to net and ZoneAlarm says Object800010.. is trying to access ....... Hence further investigation leads to... Security policy There is a local security policy: for Unsigned NON-DRIVER installation ---from experience--- BY default it is EITHER not defined or -SILENTLY SUCCEED if a user does not touch [let alone know they are supposed to] the local security policy. They will get bitten regardless of IE zone except highest smenard ----- Original Message ----- From: "Thor Larholm" <lists.netsys.com@...ript.dk> To: "Richard M. Smith" <rms@...puterbytesman.com>; <full-disclosure@...ts.netsys.com> Cc: "'Brian McWilliams'" <brian@...radio.com> Sent: Friday, January 31, 2003 11:29 AM Subject: Re: [Full-Disclosure] Origin of the term "driveby download" > From: "Richard M. Smith" <rms@...puterbytesman.com> > > Yes, there is ActiveX warning message for a driveby download, but I > > think it is classic "blaming the victim" to call users who click the yes > > button as "stupid". > > The term "driveby download" heavily implies an automated install process, > but we all know that there is no such automation here - the user has to > explicitly consent. > > Because of this FUD term, articles such as > http://wired.com/news/infostructure/0,1377,57467,00.html has sentences like > this: > > "And the toolbar will install itself automatically when Internet Explorer's > security settings aren't set to the highest level." > > As we all know (if you didn't know, then now you do), signed ActiveX > components require explicit user consent before installing - on anything > except the very MINIMUM security settings. The default settings, heck even > lowered settings above the minimum (there are 4 default levels of settings), > will ask for explicit consent. > > As such, could we please avoid using that term? It is confusing at best and > havocing for (otherwise fruitfull) debates at worst. > > Navigating your browser to an arbitrary website can bring up an "Open/Save > file" dialog for an EXE file, but just because a large percentage of > clueless users click the Open button does not mean that we label the process > as a "driveby download", or any such FUD term. Lack of clue in the victim > does not impose a lack of security in the product. > > And on the topic, both the "No" button (for signed ActiveX) and the "Save" > button (for file dialogs) are the default active buttons - in case you just > press Enter/Space. > > > If an ActiveX control auto-installs without a security warning, then > > most likely security settings must be messed up. > > If an ActiveX control auto-installs without a security warning, then you > have set your security settings to the lowest possible. > > > Regards > Thor > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
Powered by blists - more mailing lists