Re: [FD] Beginners error: iTunes for Windows runs rogue program C:\Program.exe when opening associated files

[Mike Cramer <mike.cramer@xxxxxxxxxxx>]

Not necessarily, I’m just restating what is mentioned on the mitre post, which 
I feel can be a bit misleading.

 

There are lots of “what if” scenarios involved in exploitation of this 
vulnerability. And while I agree with you, the ultimate fix to all of these 
problems is to execute only signed executables and libraries and only when the 
system has Secure Boot enabled with a TPM.

 

Obviously extending this solution down to the library and executable level is 
far from ideal on general purpose computing.

 

So where do you draw the line?

 

I draw the line at “not likely to happen”, “in the most widespread cases 
already requires elevated privilege to use”, and also importantly, “incredibly 
easy to find by forensics groups assuming no other persistent hooks of the 
underlying kernel.”

 

-Mike

 

From: Brandon Perry [mailto:bperry.volatile@xxxxxxxxx] 
Sent: Wednesday, April 30, 2014 19:28
To: Mike Cramer
Cc: Alton Blom; fulldisclosure@xxxxxxxxxxxx; Stefan Kanthak
Subject: Re: [FD] Beginners error: iTunes for Windows runs rogue program 
C:\Program.exe when opening associated files

 

 

The practice of creating persistent services from temp directories is
"generally avoided". I see what you're saying, but the use case which you
mentioned is an extremely long shot scenario. While possible, it's not
likely going to happen.

 

 

So you're definition of vulnerability relies on likelihood. Gotcha.

 

Don't confuse risk with being vulnerable.



 

-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website 


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/