lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <41A942BE.8050501@easynix.net>
From: devis at easynix.net (devis)
Subject: MS Windows Screensaver Privilege Escalation

Pavel Kankovsky wrote:

>On Thu, 25 Nov 2004, 3APA3A wrote:
>
>They have two different groups of users: more or less almighty
>Administrators and Power Users who are supposed to be less powerful. But
>Power Users are in fact as powerful as Administrators. This leads to a
>false sense of security and this is a vulnerability...even if it might not
>be a vulnerability in the technical sense. Why don't they remove the group 
>or disable it when users should not be assigned to it?
>
>Moreover, it is pretty stupid to give users rights to modify critical
>system directories just to let them install new software.
>
>--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
>"Resistance is futile. Open your source code and prepare for assimilation."
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>  
>
I have to completely agree on both points. But will MS switch to a real 
secure model or will it keep its 'useability' by running 'default' 
priviledged ?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ