lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200402100351.i1A3pT6W013720@caligula.anu.edu.au>
Date: Tue, 10 Feb 2004 14:51:29 +1100 (Australia/ACT)
From: Darren Reed <avalon@...igula.anu.edu.au>
To: davids@...master.com
Cc: bugtraq@...urityfocus.com
Subject: Re: Round One: "DLL Proxy" Attack Easily Hijacks SSL from Internet Explorer


In some mail from David Schwartz, sie said:
> 
> 
> 	This is a total non-issue. Almost every attack vector that could place a
> malicious DLL in the same directory as IE could replace IE itself or snap
> screen captures. SSL is not intended to protect against attacks on either
> endpoint.
> 
> 	This is like complaining that your safe doesn't keep people from
> breaking
> your windows. Of course Microsoft has no intended fix, nothing is broken.
[...]

Oh rubbish.

Signed applications and signed DLLs and signed drivers.
Well all of those aren't there yet (only drivers for Windows),
but it's coming to a Unix near you SOONER rather than later.

Or is that the kind of thing you disable upon installation
because it gets in the way of you being able to install whatever
"you" want ?

Darren


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ