| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 6 Dec 2010 22:04:57 +0900 From: Dan Kaminsky <dan@...para.com> To: Georgi Guninski <guninski@...inski.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: verizon vs m$ > ----- > Finally, Microsoft and other software vendors should clearly document which features do and do not > have associated security claims. Clearly stating which features make security claims, and which do not, > will allow informed decisions to be made on IT security issues. > ----- >>From 2007: http://www.networkworld.com/news/2007/021407-microsoft-uac-not-a-security.html "Vista makes tradeoffs between security and convenience, and both UAC and Protected Mode IE have design choices that required paths to be opened in the IL wall for application compatibility and ease of use," he wrote. Because the boundaries defined by UAC and Protected Mode IE are designed to be porous, they can't really be considered security barriers, he said. "Neither UAC elevations nor Protected Mode IE define new Windows security boundaries," Russinovich wrote. "Because elevations and ILs don’t define a security boundary, potential avenues of attack, regardless of ease or scope, are not security bugs." He said Microsoft had communicated this in the past, but that the point needed reiterating. (Note that Russinovich is properly cited in the Verizon Business report -- just pointing out that this has come up before.) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists