| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <003001c7f951$02e68f00$08b3ad00$@org> Date: Mon, 17 Sep 2007 23:04:28 +0530 From: "Strykar" <str@...kerzlair.org> To: "'Tim Brown'" <tmb@...35.com>, <bugtraq@...urityfocus.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Next generation malware: Windows Vista's gadget API > > Firstly, "the sky isn't falling, the risks posed by the gadget API > already > existed elsewhere in Windows generally, but this is another new attack > surface without any legacy dependencies". This is my general view on > the > gadget API. > Yahoo widgets. > Finally, why on earth does the trust model for gadgets consist of full > trust > and nothing more. Why not allow gadgets to state in their manifest > that for > example they don't need to execute things, won't make use of ActiveX > controls > and will only connect to a specific host? > Or have the OS force a restrained environment for them to run within. The usability and convenience offered by them isn't worth the opportunities they proffer. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists