lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: What A Drag! -revisited-

mikx wrote:

> To proof it's not a "hype" created by the media or companies like
> secunia, i created another proof-of-concept based on http-equiv's code
> that hides both the image to drag and the local folder you drop it to.
> As a result using the window scrollbar will install malware in your
> startup folder.
<<snip>>

Whilst this is all very interesting, anyone that doesn't think http-
equiv's little drag'n'drop trick is not serious clearly needs a swift 
kick in the privates, independent of your, or anyone else's, additional 
PoC's.

It takes almost no understanding of HTML, embedded scripting and "how 
the world works" to recognize that it would be trivial to recast http-
equiv's exploit into some cheesy "game" scenario, and many, many others 
of differing attraction values to different user constituencies.  All 
that is needed is some vaguely plausible scenario, within the bounds of 
"expected behaviour" for the chosen paradigm, in which dragging and 
dropping items is an integral, "normal" or "expected" part of the 
interaction between player and "game" (or whatever the scenario).  
Further, it is highly likely that other of the action events that IE 
supports than drag'n'drop will also be able to be "hijacked" in similar 
ways, resulting in interestingly unintended outcomes.

Of course, MS does not like admitting that lots of the fancy, schmancy 
rubbish it has "enhanced" its browser with is, when viewed under the 
light of intelligent, security-minded analysis, obviously dangerous and 
undesirable -- after all, MS spent most of the last decade following 
Billy Boy's edict that the environment should mask most of the 
"boundaries" that intelligent security analysis suggests should be 
painted in alternating yellow and black hazard stripes.  Until a little 
over two years ago, Bill championed the value of easing the user's 
experience at nearly every other possible cost, and the MS lemmings 
followed along, gleefully hiding what should be such important 
behaviour modifying boundaries as those between "local machine" and 
"open sewer"^H^H^H^H^H^H^H^H^H^H^H"Internet" as part of their desktop/ 
browser integration moves and so on.

Hopefully though, in this brave, new, post-XPSP2 world in which MS has 
tasted the value of liberating itself from outright featuritis in 
favour of somewhat more intelligent security, the downplayers of 
security bug severity at MSRC will lighten up and start to realize that 
just because a potential victim has to be "lured" to a web site and 
then "persuaded" to drag'n'drop something, that does not automatically 
render the issue ignorable.  When blatant, user-targeted warnings about 
terrible security threats (such as Office 97's macro virus warning 
dialogs) are known have no useful effect, or when users will apparently 
unzip unexpected Email attachments that require them to enter a 
password from the body of the accompanying, extremely curt, message 
_and then_ manually execute the virus within, or when folk will still 
send their life savings to Nigeria for thinly veiled and untraceable 
lies promising vast, illicit wealth, does any intelligent security 
analyst really believe that it is likely to be at all difficult to get 
"enough" idiot users to click on a link, do a little dragging'n' drop-
ping and completely unsuspectingly shoot off both their computing feet 
in the process?

Come on MSRC, get freaking real here...

The folk at Mozilla recently recognized a very similar thing with the 
"predictable location of the download authorization button" problem:

   http://bugzilla.mozilla.org/show_bug.cgi?id=162020

(after far too many months of keeping it under the blanket mind you), 
so maybe it's time for MS to pull itself up to Mozilla's standard?

Given how evil open source is (just ask Bill and Ben^H^H^HSteve), I'm 
sure MS would not want to be seen to be operating _below_ the standards 
of one of the largest (and therefore most evil) of open source 
projects, particularly on a security issue, given MS' new-found 
interest in actually getting some...


Regards,

Nick FitzGerald


Powered by blists - more mailing lists