-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
____/ Richard Rasker on Friday 08 August 2008 17:45 : \____
>
>
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1324395,00.html
>
> "By taking advantage of the way that browsers, specifically Internet
> Explorer, handle active scripting and .NET objects, [Dowd and Sotirov]
> have been able to load essentially whatever content they want into a
> location of their choice on a user's machine.
>
> Researchers who have read the paper that Dowd and Sotirov wrote on the
> techniques say their work is a major breakthrough and there is little that
> Microsoft can do to address the problems. The attacks themselves are not
> based on any new vulnerabilities in IE or Vista, but instead take
> advantage of Vista's fundamental architecture and the ways in which
> Microsoft chose to protect it."
>
> And I thought Vista was redesigned to make it more secure? Then how can this
> happen?
>
> "If you think about the fact that .NET loads DLLs into the browser itself
> and then Microsoft assumes they're safe because they're .NET objects, you
> see that Microsoft didn't think about the idea that these could be used as
> stepping stones for other attacks."
>
> This is so stupid. Will those incompetent morons in Redmond /ever/ learn
> that you DO NOT EXECUTE stuff unless absolutely necessary, especially with
> regard to the Internet? Many years ago, these idiots were single-handedly
> responsible for making computers insecure in the first place by introducing
> gazillions of execute mechanisms, the majority of which automatic and
> beyond the user's control, at that. And alas, it seems that nothing much
> has changed. This is very depressing, and no doubt it means that the amount
> of spam sent to me by compromised Windows boxes (already 5,000 messages
> every day) will only keep increasing, among other things.
>
> Then again, there's this:
>
> "Dai Zovi stressed that the techniques Dowd and Sotirov use do not rely on
> specific vulnerabilities. As a result, he said, there may soon be similar
> techniques applied to other platforms or environments."
>
> I wonder how vulnerable our favourite OSS browsers are ...
>
> Richard Rasker
Someone mailed me this earlier:
Note that the bad engineering promoted by Bill Gates and his movement is
probably costing Joe Sixpack upwards of 8 hours lost effort per week
from malware, instability and poor interoperability. With the US in the
economic situation it is in, that may be enough to knock the floor out
of the recession. The failure that is MS Vista may be the last straw
and take down what's left of the economy.
Until recently, MSFTers have been able to stifle security information.
However, the EFF's recent win paves the way forward for better
technology to become more visible.
I look forward to the seeing Back-To-School Security Packets in Walmart,
Best Buy, and others consisting of Xubuntu (www.xubuntu.org) CDs.
1) "EFF Wins Protection for Security Researchers" (2007)
http://www.eff.org/press/releases/2007/09#005434
2) "Vista's Security Rendered Completely Useless by New Exploit" (2008)
"... a technique that can be used to bypass all memory
protection safeguards that Microsoft built into Windows
Vista..."
"... the work is a major breakthrough and there is very little
that Microsoft can do to fix the problems..."
http://www.neowin.net/news/main/08/08/08/vista39s-security-rendered-completely-useless-by-new-exploit
3) "This Bug Man Is a Pest" (2008)
"...His syllabus is partly a veiled attack on McAfee,
Symantec and their ilk, whose $100 consumer products he
sees as mostly useless. If college students can beat
these antivirus programs, he argues, what good are they
for the people and businesses spending nearly $5 billion
a year on them? ..."
http://www.newsweek.com/id/150465
4) "USENIX WOOT07, Exploiting Concurrency Vulnerabilities in System Call
Wrappers, and the Evil Genius" (2007)
http://www.lightbluetouchpaper.org/2007/08/06/usenix-woot07-exploiting-concurrency-vulnerabilities-in-system-call-wrappers-and-the-evil-genius/
- --
~~ Best of wishes
A computer is like air conditioning: it becomes useless when you open windows.
~Linus Torvalds
http://Schestowitz.com | GNU/Linux | PGP-Key: 0x74572E8E
Swap: 4088500k total, 501296k used, 3587204k free, 665640k cached
http://iuron.com - next generation of search paradigms
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkicmkEACgkQU4xAY3RXLo5aUwCgitsdlvBXVyqQh4O3M1YwpvLL
cpsAoJYCl7GqHAj8aTnz0uPdCDjC8uKk
=/2yR
-----END PGP SIGNATURE-----
|
|
