| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 5 Dec 2010 21:05:26 -0500 From: Larry Seltzer <larry@...ryseltzer.com> To: "Thor (Hammer of God)" <thor@...merofgod.com>, Georgi Guninski <guninski@...inski.com>, full-disclosure@...ts.grok.org.uk Subject: Re: verizon vs m$ I think the Intranet zone was Medium in IE6 but of course there was no Protected Mode there. Maybe that's where the confusion is from. -----Original Message----- From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Thor (Hammer of God) Sent: Sunday, December 05, 2010 8:50 PM To: Georgi Guninski; full-disclosure@...ts.grok.org.uk Subject: Re: [Full-disclosure] verizon vs m$ I don't understand how Dan arrived at "Researchers bypass Internet Explorer Protected Mode" for the article title. Protected Mode isn't being bypassed at all - the "researchers that figured out a reliable way to bypass the measure" apparently just noticed that Protected Mode is disabled by default in the Local Intranet Zone. Is this something you are concerned about? This would obviously only be exploitable by accessing sites on one's own intranet by specifically using intranet nomenclature (and trusted sites, but the user has to add those). Also, the article (or the researchers) are incorrect about the default settings for the Intranet zone - it's Medium-low, not Medium. If the problem one is trying to fix is based on attackers compromising intranet sites and then posting code for unpatched vulnerabilities that would still end up only running in the user context, then you've got much bigger problems, no? I'm just wondering why you are brining attention to the article, or really, why it was written in the first place. t -----Original Message----- From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Georgi Guninski Sent: Sunday, December 05, 2010 1:26 PM To: full-disclosure@...ts.grok.org.uk Subject: [Full-disclosure] verizon vs m$ in a world like this, verizon kills exploder bugs: http://www.theregister.co.uk/2010/12/03/protected_mode_bypass/ http://www.verizonbusiness.com/resources/whitepapers/wp_escapingmicrosoftp rotectedmodeinternetexplorer_en_xg.pdf the language doesn't seem passionate: ----- Finally, Microsoft and other software vendors should clearly document which features do and do not have associated security claims. Clearly stating which features make security claims, and which do not, will allow informed decisions to be made on IT security issues. ----- lol -- joro _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists