| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <a502f2cf0905290829p7d51eaebv58d8b68c478bce03@mail.gmail.com> Date: Fri, 29 May 2009 20:59:12 +0530 From: David Blanc <davidblanc1975@...il.com> To: full-disclosure@...ts.grok.org.uk Subject: FFSpy Buster : Duarte Silva announces that the security of most software allowing plugins such as vim, emacs, gnome, eclipse, etc. is flawed Duarte Silva, the creator of the so-called FFSpy PoC seems to be suggesting that the plugin mechanism of most software which allows a user to run a plugin in the context of the user running the software is flawed. First of all, here is the lame PoC for those who want to read it: http://myf00.net/?p=18 You can see a few comments where people are trying to ask how exactly the attack is carried out. However, Duarte has been giving lame responses such as: "True. But is also interesting to see that there isn’t nothing to ensure the user the plug-in isn’t changed." In his wrap up blog at http://myf00.net/?p=97 he seems to suggest that the existing plugin or add on mechanism of most software is flawed. Do read his comments at the end of the blog. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists