[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] FFSpy Buster : Duarte Silva announces that the security of most software allowing plugins such as vim, emacs, gnome, eclipse, etc. is flawed
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] FFSpy Buster : Duarte Silva announces that the security of most software allowing plugins such as vim, emacs, gnome, eclipse, etc. is flawed
- From: David Blanc <davidblanc1975@xxxxxxxxx>
- Date: Fri, 29 May 2009 20:59:12 +0530
Duarte Silva, the creator of the so-called FFSpy PoC seems to be
suggesting that the plugin mechanism of most software which allows a
user to run a plugin in the context of the user running the software
is flawed.
First of all, here is the lame PoC for those who want to read it:
http://myf00.net/?p=18 You can see a few comments where people are
trying to ask how exactly the attack is carried out. However, Duarte
has been giving lame responses such as: "True. But is also interesting
to see that there isn’t nothing to ensure the user the plug-in isn’t
changed."
In his wrap up blog at http://myf00.net/?p=97 he seems to suggest that
the existing plugin or add on mechanism of most software is flawed. Do
read his comments at the end of the blog.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/