| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4128DF3F.10773.2A31CA43@localhost> From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: What A Drag! -revisited- mikx wrote: > To proof it's not a "hype" created by the media or companies like > secunia, i created another proof-of-concept based on http-equiv's code > that hides both the image to drag and the local folder you drop it to. > As a result using the window scrollbar will install malware in your > startup folder. <<snip>> Whilst this is all very interesting, anyone that doesn't think http- equiv's little drag'n'drop trick is not serious clearly needs a swift kick in the privates, independent of your, or anyone else's, additional PoC's. It takes almost no understanding of HTML, embedded scripting and "how the world works" to recognize that it would be trivial to recast http- equiv's exploit into some cheesy "game" scenario, and many, many others of differing attraction values to different user constituencies. All that is needed is some vaguely plausible scenario, within the bounds of "expected behaviour" for the chosen paradigm, in which dragging and dropping items is an integral, "normal" or "expected" part of the interaction between player and "game" (or whatever the scenario). Further, it is highly likely that other of the action events that IE supports than drag'n'drop will also be able to be "hijacked" in similar ways, resulting in interestingly unintended outcomes. Of course, MS does not like admitting that lots of the fancy, schmancy rubbish it has "enhanced" its browser with is, when viewed under the light of intelligent, security-minded analysis, obviously dangerous and undesirable -- after all, MS spent most of the last decade following Billy Boy's edict that the environment should mask most of the "boundaries" that intelligent security analysis suggests should be painted in alternating yellow and black hazard stripes. Until a little over two years ago, Bill championed the value of easing the user's experience at nearly every other possible cost, and the MS lemmings followed along, gleefully hiding what should be such important behaviour modifying boundaries as those between "local machine" and "open sewer"^H^H^H^H^H^H^H^H^H^H^H"Internet" as part of their desktop/ browser integration moves and so on. Hopefully though, in this brave, new, post-XPSP2 world in which MS has tasted the value of liberating itself from outright featuritis in favour of somewhat more intelligent security, the downplayers of security bug severity at MSRC will lighten up and start to realize that just because a potential victim has to be "lured" to a web site and then "persuaded" to drag'n'drop something, that does not automatically render the issue ignorable. When blatant, user-targeted warnings about terrible security threats (such as Office 97's macro virus warning dialogs) are known have no useful effect, or when users will apparently unzip unexpected Email attachments that require them to enter a password from the body of the accompanying, extremely curt, message _and then_ manually execute the virus within, or when folk will still send their life savings to Nigeria for thinly veiled and untraceable lies promising vast, illicit wealth, does any intelligent security analyst really believe that it is likely to be at all difficult to get "enough" idiot users to click on a link, do a little dragging'n' drop- ping and completely unsuspectingly shoot off both their computing feet in the process? Come on MSRC, get freaking real here... The folk at Mozilla recently recognized a very similar thing with the "predictable location of the download authorization button" problem: http://bugzilla.mozilla.org/show_bug.cgi?id=162020 (after far too many months of keeping it under the blanket mind you), so maybe it's time for MS to pull itself up to Mozilla's standard? Given how evil open source is (just ask Bill and Ben^H^H^HSteve), I'm sure MS would not want to be seen to be operating _below_ the standards of one of the largest (and therefore most evil) of open source projects, particularly on a security issue, given MS' new-found interest in actually getting some... Regards, Nick FitzGerald
Powered by blists - more mailing lists