lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: hggdh at attbi.com (HggdH)
Subject: MS02-065 vulnerability

Paul ("Paul Szabo" <psz@...hs.usyd.edu.au>) replied:
(...)
|
| The work-arounds suggested by Microsoft probably work. They might even
| "come clean" and suggest to disable ActiveX, or even go as far as to ask
| users to "get off" IE (and use Netscape or Mozilla or whatever), or to
| upgrade to Linux.
|
| The fact remains that installing the patch does not protect the (IE) user.

Indeed. I am sorry I did not realise your point on the first post. It
minimises, at most, the exposure... until the sucker, uh, user, hits a
malicious web site.

(...)

| > The real interesting part, for me, is that the trust on the trusting
| > mechanism has been shattered. Finally.
|
| Agreed.


Which put us back on the Microsoft implementation: the most I can "trust",
from a signed piece of code, is that it was correctly signed. Microsoft
expanded this to "I can not only trust it was correctly signed, but I am
also going to allow *any* code from this publisher to be automatically
installed on my system". In other words, "if the signature is good, then the
contents are also good".

This seems to me not only a jump in logic, but a straight dive into the
faith pool. We do not just trust a publisher anymore, but we believe in it.
And it amazes me nobody else is commenting on it. I have not seen anything
on the other major security lists up to now.

As said earlier, Microsoft should put out a special Security Bulletin
implementing the removal of automatic trust from itself. And I see this
bulletin being as important as any other critical fix. I hope Microsoft
realises the fallacy it has put itself in, and corrects it.

Ah well.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ