lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040209192029.GC17237@wirex.com>
Date: Mon, 9 Feb 2004 11:20:29 -0800
From: Seth Arnold <sarnold@...ex.com>
To: bugtraq@...urityfocus.com
Subject: Re: Round One: "DLL Proxy" Attack Easily Hijacks SSL from Internet Explorer

On Mon, Feb 09, 2004 at 01:24:04PM -0500, Disclosure From OSSI wrote:
> But this mechanism can only protect a limited segment of WINDOWS users
> against this “DLL proxy” attack. For example, XP Home Edition
> (SP1) is installed by default with administrator privileges for
> accounts and therefore ACL for program folders are wide open to be
> modified.  Many Windows platforms use an un-secured file system such
> as FAT or FAT32 without ACL protection.

By definition, anyone running any such system has explicitely decided to
trust all the users of the machine to act in accordance with common
shared goals.

You're confusing security mechanism with security policy; if someone's
security policy allows everyone to have administrator status, then this
is NOT a security problem, as you claim. This is legitimate use of
legitimate privileges.

-- 
Immunix Secured Linux Distribution: http://immunix.org/

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ