[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200310302323.h9UNN1K389753@milan.maths.usyd.edu.au>
From: psz at maths.usyd.edu.au (Paul Szabo)
Subject: RE: Internet Explorer and Opera local zone restriction bypass
Thor Larholm <thor@...x.com> wrote:
>> Storing in an unpredictable location might help.
>> Obfuscation does not: instead of setting a cookie
>> of BadThing, the attacker could set one that will
>> become BadThing. The need to reverse-engineer the
>> obfuscation, and details like possible character
>> sets, are a minor hindrance only.
>> Security by obscurity does not work.
>
> If you had followed the debate in detail ...
I did: see
http://www.maths.usyd.edu.au:8000/u/psz/securepc.html#IExplore
> ... there is absolutely no reverse-engineering that will convince IE to
> render a BAE-64 encoded string as HTML.
Huh? Cannot the encoded string look like valid HTML? - Did you mean BASE64?
Are you sure Macromedia will choose that? Can you trust IE not to attempt
BASE64 decoding, if it notices that is how the content is encoded? After
all it is so user-friendly... - Macromedia should not use BASE64, but any
other (proprietary, unusual, just-for-this-purpose) encoding; maybe simply
prepend the stored content with a few non-text bytes.
> ... Loading a locally residing file in a window object brings nothing new
> into the world of IE exploits ...
So you agree that it is idiotic to trust local files? - In fact, IE does
not trust local files: it excludes the TIF. Does it simply suffer from the
"ban known bad" instead of "allow known good" syndrome? Should it exclude
the Macromedia locations also? Should it be made suspicious by default,
trusting a few "known good" locations like \winnt only?
> There is no obscurity being promised here, just an additional layer of
> security ...
An additional layer of obfuscated false sense of security.
> ... all we want is to avoid having Flash used as an automated transport
> mechanism of data from the Internet Zone to any local security zones.
"We"? You seem to be confused: you sold your soul to the Devil (aka MS),
not to Macromedia.
Only when IE fixes its cross-domain problems, and/or the problem of random
local files being in the trusted zone, will the issue be solved. It is very
kind of Macromedia to endeavour to work around the problem; attackers will
just choose a different mechanism.
Cheers,
Paul Szabo - psz@...hs.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
Powered by blists - more mailing lists