lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 7 Dec 2010 19:17:24 +0000
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: "Valdis.Kletnieks@...edu" <Valdis.Kletnieks@...edu>, Larry Seltzer
	<larry@...ryseltzer.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: verizon vs m$

>On Tue, 07 Dec 2010 07:16:34 EST, Larry Seltzer said:
>> >>> 2. some interpret it as a feature and some as a bug?
>>
>> > Does it have to be either?
>>
>> It sounds to me as if this is a deliberate design decision, and people
>> are disagreeing over the severity of its implications.
>
>Some people refer to that as a "feee-tchure" or "Broken As Designed". It's
>technically not a bug, but it does violate the Principle of Least Surprise.

Or, some people (like Larry) don't have a hyperbolic approach to exploit vector details.  I like Larry's approach, and consider it the most accurate comment thus far (including my own).   Rather than actual white papers and references to M$ and "Exploder," this entire "vector" can be summarized in one sentence: 

If you are running Vista+, and are on a domain, and have not altered the PM defaults, and if you have an unpatched vulnerability in IE that allows an attacker to remotely install a web service that runs on localhost and redirects your browser to that service, and the vulnerability is capable of being re-exploited, then the web service code could launch other code that runs in the Intranet zone with associated security settings that would run in the context of the local user.  

It could even be shorted to: The Intranet Zone has Protected Mode disabled, Internet zone does not.  If you are worried about your domain users being exploited by unknown vulnerabilities that could be launched in the Intranet zone, then add localhost to your restricted zone.  Since they are on a domain, this is a trivial task.

Is this where the industry is now?  If I wrote a similar white paper that applied to open source products and posted it here, I would be appropriately ridiculed off the list.  I'll actually take this as a sign of progress - when the only way Guninski can get his "M$ Exploder" comments in is to reference other people's research-in-the-obvious and have something so trite be referred to as "Broken by Design" then it proves two things: Security is getting better, and people could not care less. 

t


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ