[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTimfeDZ2YX-Pz=wcJJK90zswB426S5vPV=ei_qf-@mail.gmail.com>
Date: Fri, 27 Aug 2010 01:18:48 -0400
From: Dan Kaminsky <dan@...para.com>
To: paul.szabo@...ney.edu.au
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: DLL hijacking with Autorun on a USB drive
On Fri, Aug 27, 2010 at 1:06 AM, <paul.szabo@...ney.edu.au> wrote:
> Dan Kaminsky <dan@...para.com> wrote:
>
> >> Badly setup desktops: do not "hide extensions", maybe view details
> >> (or list) not icons.
> >
> > All that matters is defaults, and icons are way more powerful ...
>
> Those defaults are wrong, change them. Anyway, icons are shown
> with "view details".
>
I think you mean application types are shown with "view details". The
problem is, there's a couple dozen application types that are all code
execution equivalent by design. Do you know all of them? Why should a
user?
>
> > The web browser and the email client are not designed to launch
> > arbitrary code. The desktop ... is.
>
> This attack may happen through the browser (UNC paths or somesuch).
> Any talk about USB sticks or desktops is bogus.
>
>
There's no path between IE and a UNC window that doesn't either security
prompt or raise an unadorned Explorer window to a remote share. I could see
an argument that the latter should prompt, given that it's a (by definition)
code execution context. But that's about it.
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists