On Sat, 20 Oct 2007 15:46:36 EDT, full-disclosure@xxxxxxxxxxxx said:
> 1) What browser was first vulnerable to these attacks,
> 2) Who was the responsible developer,
I don't know for sure, but I *do* know that whichever developer it
was didn't read the copious notices regarding active content in
RFC1341, including this in Security Considerations:
Security issues are discussed in Section 7.4.2 and in
Appendix G. Implementors should pay special attention to
the security implications of any mail content-types that can
cause the remote execution of any actions in the recipient's
environment. In such cases, the discussion of the
applicaton/postscript content-type in Section 7.4.2 may
serve as a model for considering other content-types with
remote execution capabilities.
So when the WWW guys were choosing MIME as an encapsulation method,
the security issues were *well* understood. It was *known* that if you
were going to have active content, it *had* to be sandboxed in order to
avoid security problems (and in fact, Java showed up with just that sort
of a sandbox available, because the Java crew *did* think about the issues).
But the ability of Javascript to provide dancing hamsters won out, and we've
been dealing with its half-assed security model for the last decade and
a half.
> 3) How was this vulnerable mechanism replicated across all modern
> browsers,
Once one browser had dancing hamsters, the others needed to do so as well,
for feature parity. And once Javascript's busticated security model was
accepted, it got propagated into all the other add-ins and ActiveX and
all the other gee-wiz-bang features.
> 4) Instead of patching individual XSS problems in random web-based
> piano tuning software, why aren't the serious security
> researchers[1] of this list working to develop better technologies
> to block the entire vulnerability class, like the PaX/w^x team has
> done[2], to raise the ante for computer security list posters
> around the world?
Find 5 non-expert computer users in your family, and try the following:
Turn off Javascript, Flash, and other active-content plugins in their
browser. See how long they can surf the web before all 5 are fighting
to be the one to personally remove your gonads with a very blunt knife.
OK? That's what we're up against. And that's why it's so difficult.
For the general user, dancing hamsters trump security every time.
Attachment:
pgpTPzuu8IQou.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/