lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 31 Jan 2011 15:34:32 -0500 From: Michael Holstein <michael.holstein@...ohio.edu> To: "Thor (Hammer of God)" <thor@...merofgod.com> Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk> Subject: Re: Vulnerability discloses PIN used in Microsoft Excel secure printing > I assume it is embedded so that cancelled or queued jobs can still require PIN. You can't have one job pause all other jobs in the queue, so it would need some way of continuing from bypass. The whole "vulnerability" angle is pretty lame. > How it works on our Xerox printers is you hit a button to pull up the jobs and the secure ones are held (in memory, on the printer) until the user enters the same code embedded in the job. The primary purpose is to target the resistance against departmental printers under the "privacy" angle. Jobs that don't have this tag print FIFO ("secure" jobs are a separate queue internally). The PIN just an attribute sent by the postscript driver and embedded in the job. I have seen print drivers and hardware that do operate in a "secure" manner (we have ID printers that do this), but IMHO that's more for license compliance than actual security of the information. The fact that Excel stores it as a printing default is interesting, but hardly a vulnerability. If you have access to the document to see the printing PIN in metadata, you obviously can read the document itself .. It'd be like saying "OMG! Excel remembers what size paper I like to use". One could argue the whole "creatures of habit" aspect around the PIN (dammit, now I need to change my luggage), but the whole "secure print" thing is sort of a misnomer and more of a marketing trick (internally and externally) than anything else. Cheers, Michael Holstein Cleveland State University _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists