lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 6 Dec 2010 16:57:44 +0000
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: Dan Kaminsky <dan@...para.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: verizon vs m$

> > -----
> > Finally, Microsoft and other software vendors should clearly document
> > which features do and do not have associated security claims. Clearly
> > stating which features make security claims, and which do not, will allow
> informed decisions to be made on IT security issues.
> > -----
> 
> >From 2007:
> 
> http://www.networkworld.com/news/2007/021407-microsoft-uac-not-a-
> security.html
> 
> "Vista makes tradeoffs between security and convenience, and both UAC
> and Protected Mode IE have design choices that required paths to be
> opened in the IL wall for application compatibility and ease of use,"
> he wrote.
> 
> Because the boundaries defined by UAC and Protected Mode IE are
> designed to be porous, they can't really be considered security barriers, he
> said. "Neither UAC elevations nor Protected Mode IE define new Windows
> security boundaries," Russinovich wrote. "Because elevations and ILs don't
> define a security boundary, potential avenues of attack, regardless of ease or
> scope, are not security bugs."
> 
> He said Microsoft had communicated this in the past, but that the point
> needed reiterating.
> 
> (Note that Russinovich is properly cited in the Verizon Business report -- just
> pointing out that this has come up before.)

Did you read the Reg article?  It has nothing to do with the definition of a "security boundary."  It's not about that at all.  It's about a title tease of "bypassing protected mode" with associated inaccurate content when the whole thing could be summarized with "Protected Mode is not enabled by default in the Intranet zone."  The "boundary" conversation, while interesting, is irrelevant here.

I know times are tough and click-throughs on ads need to be maximized, but I don't think misrepresentation of technical content is appropriate.  I can understand why the Reg would write the article, but I asked Guninski if the reason he posted it was because he considered Protected Mode being disabled by default in the Intranet zone some sort of security issue.

t 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ