[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] verizon vs m$

To: "Valdis.Kletnieks@xxxxxx" <Valdis.Kletnieks@xxxxxx>, Larry Seltzer <larry@xxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] verizon vs m$
From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
Date: Tue, 7 Dec 2010 19:17:24 +0000

>On Tue, 07 Dec 2010 07:16:34 EST, Larry Seltzer said:
>> >>> 2. some interpret it as a feature and some as a bug?
>>
>> > Does it have to be either?
>>
>> It sounds to me as if this is a deliberate design decision, and people
>> are disagreeing over the severity of its implications.
>
>Some people refer to that as a "feee-tchure" or "Broken As Designed". It's
>technically not a bug, but it does violate the Principle of Least Surprise.

Or, some people (like Larry) don't have a hyperbolic approach to exploit vector 
details.  I like Larry's approach, and consider it the most accurate comment 
thus far (including my own).   Rather than actual white papers and references 
to M$ and "Exploder," this entire "vector" can be summarized in one sentence: 

If you are running Vista+, and are on a domain, and have not altered the PM 
defaults, and if you have an unpatched vulnerability in IE that allows an 
attacker to remotely install a web service that runs on localhost and redirects 
your browser to that service, and the vulnerability is capable of being 
re-exploited, then the web service code could launch other code that runs in 
the Intranet zone with associated security settings that would run in the 
context of the local user.  

It could even be shorted to: The Intranet Zone has Protected Mode disabled, 
Internet zone does not.  If you are worried about your domain users being 
exploited by unknown vulnerabilities that could be launched in the Intranet 
zone, then add localhost to your restricted zone.  Since they are on a domain, 
this is a trivial task.

Is this where the industry is now?  If I wrote a similar white paper that 
applied to open source products and posted it here, I would be appropriately 
ridiculed off the list.  I'll actually take this as a sign of progress - when 
the only way Guninski can get his "M$ Exploder" comments in is to reference 
other people's research-in-the-obvious and have something so trite be referred 
to as "Broken by Design" then it proves two things: Security is getting better, 
and people could not care less. 

t


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] verizon vs m$
  - From: Georgi Guninski
- Re: [Full-disclosure] verizon vs m$
  - From: Georgi Guninski
- Re: [Full-disclosure] verizon vs m$
  - From: Dan Kaminsky
- Re: [Full-disclosure] verizon vs m$
  - From: Larry Seltzer
- Re: [Full-disclosure] verizon vs m$
  - From: Valdis . Kletnieks

Prev by Date: [Full-disclosure] [ MDVSA-2010:249 ] clamav
Next by Date: [Full-disclosure] [USN-1026-1] Python Paste vulnerability
Previous by thread: Re: [Full-disclosure] verizon vs m$
Next by thread: Re: [Full-disclosure] verizon vs m$
Index(es):
- Date
- Thread