lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 30 Aug 2010 17:52:27 -0400
From: Dan Kaminsky <dan@...para.com>
To: Pavel Kankovsky <peak@...o.troja.mff.cuni.cz>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: DLL hijacking with Autorun on a USB drive

On Mon, Aug 30, 2010 at 11:45 AM, Pavel Kankovsky <
peak@...o.troja.mff.cuni.cz> wrote:

> On Thu, 26 Aug 2010, Dan Kaminsky wrote:
>
> > The question is whether they're supposed to execute code in this
> > particular context.
>
> I think the question ought to be: what authority and privileges shall be
> granted to the code when it is executed?
>

Yeah, and the thing about all of the desktop shells (Explorer, Finder, etc)
is that they're all just as happy to open a Word Document with winword.exe,
as they are to open winword.exe (or something else with that name) itself.
In other words, the security model is that authority and privileges are the
expansive set that is full code execution as that user.

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ