[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BAY404-EAS96D51CCA20E80226C444BFF2410@phx.gbl>
Date: Wed, 30 Apr 2014 19:32:36 -0400
From: Mike Cramer <mike.cramer@...look.com>
To: "'Brandon Perry'" <bperry.volatile@...il.com>
Cc: fulldisclosure@...lists.org, 'Stefan Kanthak' <stefan.kanthak@...go.de>,
'Alton Blom' <altonius@...il.com>
Subject: Re: [FD] Beginners error: iTunes for Windows runs rogue program
C:\Program.exe when opening associated files
Not necessarily, I’m just restating what is mentioned on the mitre post, which I feel can be a bit misleading.
There are lots of “what if” scenarios involved in exploitation of this vulnerability. And while I agree with you, the ultimate fix to all of these problems is to execute only signed executables and libraries and only when the system has Secure Boot enabled with a TPM.
Obviously extending this solution down to the library and executable level is far from ideal on general purpose computing.
So where do you draw the line?
I draw the line at “not likely to happen”, “in the most widespread cases already requires elevated privilege to use”, and also importantly, “incredibly easy to find by forensics groups assuming no other persistent hooks of the underlying kernel.”
-Mike
From: Brandon Perry [mailto:bperry.volatile@...il.com]
Sent: Wednesday, April 30, 2014 19:28
To: Mike Cramer
Cc: Alton Blom; fulldisclosure@...lists.org; Stefan Kanthak
Subject: Re: [FD] Beginners error: iTunes for Windows runs rogue program C:\Program.exe when opening associated files
The practice of creating persistent services from temp directories is
"generally avoided". I see what you're saying, but the use case which you
mentioned is an extremely long shot scenario. While possible, it's not
likely going to happen.
So you're definition of vulnerability relies on likelihood. Gotcha.
Don't confuse risk with being vulnerable.
--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists