| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 1 Sep 2010 08:29:44 -0400 From: Charles Morris <cmorris@...odu.edu> To: Dan Kaminsky <dan@...para.com> Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>, "paul.szabo@...ney.edu.au" <paul.szabo@...ney.edu.au> Subject: Re: DLL hijacking with Autorun on a USB drive On Tue, Aug 31, 2010 at 7:03 PM, Dan Kaminsky <dan@...para.com> wrote: > > > > > On Aug 31, 2010, at 2:20 PM, Charles Morris <cmorris@...odu.edu> wrote: > >> On Tue, Aug 31, 2010 at 5:15 PM, Dan Kaminsky <dan@...para.com> wrote: >> >>> >>> Again, the clicker can't differentiate word (the document) from word (the >>> executable). The clicker also can't differentiate word (the document) >>> from >>> word (the code equivalent script). >>> >>> The security model people keep presuming exists, doesn't. >>> >>> Even the situation whereby a dll is dropped into a directory of documents >>> -- >>> the closest to a real exploit path there is -- all those docs can be >>> repacked into executables. >>> >> >> What? >> >> I can differentiate my coolProposal.doc from msword.exe just fine.. >> > > Uh huh. Here, let me go ahead and create 2010 Quarterly Numbers.ppt.exe with > a changed icon, and see what you notice. > Mr. Szabo has already slapped your wrist for such undeserved arrogance. And yeah, I find it a joke that you think that ".ppt.exe" isn't pretty damn obvious. I might have fell for that when I was 9, but I haven't had a problem with a windows box in years. I will admit, at 3AM when I've been working for 18 hours and awake for 36, it is possible that I may double-click such a malicious file and then immediately think "OH shit" and rebuild. I know what we can do, we can repackage the "Hey watch out for badguys masquerading as innocent files" that everybody already knows about, contact CERT and negotiate a fix between major vendors (Hey this isn't just a MS vulnerability right??), then give a talk at blackhat to establish our fame, but now that I think about it.. that would be rude to the people who have been complaining about this since 1999. > >> If your statement is that the windows defaults should be changed, >> including the "hide extensions" default, then I wholeheartedly agree >> as I detailed in my first post. It's the first thing I turn off. >> >> Many people who think the same way have considered that a >> vulnerability in windows for years, I wouldn't consider it part of >> the "DLL Hijacking" fiasco. > > Imagine if the browser lock meant arbitrary code could run. > > I find your faith in small collections of pixels hilarious. > Imagine if the keyboard LED meant arbitrary code could run!! What? I don't even understand what you are getting at. This has nothing to do with faith in icons. My statement was that windows defaults arguably represent a vulnerability in the GUI by making "proposal.doc" indistinguishable from "proposal.doc.exe with a crafted icon", when you are encouraged to double-click the icons through the GUI, and when "doc" files are supposed to be innocent to open. I was also stating the fact that this vulnerability should be addressed outside of the scope of the "DLL Hijacking" mess. Cheers, Charles _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists