| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 1 Sep 2010 00:59:06 +0200 From: Christian Sciberras <uuf6429@...il.com> To: Valdis.Kletnieks@...edu Cc: full-disclosure@...ts.grok.org.uk, cmorris@...odu.edu, paul.szabo@...ney.edu.au Subject: Re: DLL hijacking with Autorun on a USB drive > (and yes, "interpreted data" like shell scripts and Java .class files and Flash > are the sort of neither-fish-nor-fowl that give security models headaches, so > don't bother flaming about that. ;) OK. Also add exploits in non-executable data as well (such as a certain gif...). What was your point again? Cheers. On Wed, Sep 1, 2010 at 12:56 AM, <Valdis.Kletnieks@...edu> wrote: > On Wed, 01 Sep 2010 08:34:47 +1000, paul.szabo@...ney.edu.au said: >> Christian Sciberras <uuf6429@...il.com> wrote: >> >> > Why do you say harmless? Because you know a text file can't do >> > anything at all. >> >> Exactly. The victim is attempting to view a plain text file. Surely >> that can be done safely? > > Only if your OS's security model understands the fact that executable code > and data belong in different security domains and thus different rules should > apply about what files to "trust" in each category. > > (and yes, "interpreted data" like shell scripts and Java .class files and Flash > are the sort of neither-fish-nor-fowl that give security models headaches, so > don't bother flaming about that. ;) > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists