Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Full-Disclosure] (IE/SCOB) Switching Software Because of Bugs: Some

from [Drew Copley] Network Security [Permanent Link]
Subject: RE: [Full-Disclosure] (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs
Date: Wed, 30 Jun 2004 16:31:45 -0700 
 


-----Original Message-----
From: full-disclosure-admin@lists.netsys.com 
[mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of 
Barry Fitzgerald
Sent: Wednesday, June 30, 2004 3:07 PM
To: Drew Copley
Cc: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] (IE/SCOB) Switching Software 
Because of Bugs: Some Facts About Software and Security bugs

Drew Copley wrote:


Conclusion: Mozilla may be better. I think there is some strong
chance of that. But only marginally. It has had bugs. It has a lot
of features, which means a lot of potential for security issues. They
have kept their browser more conservative then Microsoft has kept
Internet Explorer. Traditionally, Mozilla developers have been
far more "RFC compliant" - as the saying goes then Microsoft. 



 



Hello Drew,

       I'll start with my own disclaimer.  I have been a Free 
Software 
developer in the past and my bias is hereby established. 

       However, while I agree with the general point that any 
piece of 
software will have bugs and switching simply because a bug has been 
found is a bad idea, to say that is not to say that all bugs 
are equal.  
(I know that that's not what you were saying, but I know that someone 
will read into what was said that way.)  I'm sure that MS Calc has 
bugs.  I know, though, that MS Calc's bugs are, most likely, 
not going 
to allow black hats to compromise systems and steal people's data. 


You are right, that is not what I am saying but some could read
it that way, actually. Sorry, should have noted that in my first
reply.



       I've had experiences in the past that have shown me 
one thing and 
one thing alone: the argument about marketshare being the primary 
motivation of all cracking is played up far too heavily.  Many black 
hats and script kiddies focus their bugfinding on the most-installed 
target, this is true.  But, there is a sufficient body of people out 
there still attempting to target other applications -- some 
of them are 
very bright.  I always wince whenever I see someone bring up the 
marketshare argument because my prior experience dictates that it is 
simply not so simple.

       In my opinion, Microsoft's biggest flaw with Internet 
Explorer is 
that it is a program that can take untrusted content and 
process it in a 
trusted manner.  Yes, I know about zoning and yes I 
acknowledge that as 
long as people have the write to access/modify something, 
there's always 
some way that they can shoot themselves in the foot.  
However, there's a 
far difference between people executing programs off of 
websites/emails 
and people simply viewing a website and being "infected" by a 
trojan/adware/spyware.

       We both know that this scenario is not new.  We also both know 
that Microsoft is not the only one who's been caught mixing trusted 
processing methods and untrusted processing methods in the 
same piece of 
software.  However, it's my decided opinion that a web browser's sole 
design priority is to process input that is, by definition, 
unsafe in a 
safe way.  A program, like Internet Explorer, that mixes OS function 
with (in my opinion, very poor) sandboxing will always have backdoors 
that allow people to execute code in a trusted fashion.  
Programs that 
do not include this code will never have those types of flaws.

       I would like someone to prove that Mozilla can be 
tricked to run 
software in the background without the user's knowledge.  I 
don't just 
mean running an XPI on a system with software installation 
enabled.  I 
also mean without using a plugin to carry out the attack.  I 
also don't 
mean javascript-based XSS attacks - those are a different animal.

       I mean a full-on attack using a plain vanilla install 
of Mozilla 
to silently attack a system and compromise it. 

       The next stage, once that's been proven, is to not just put a 
bandaid on Mozilla, but to fix the architecture so that that type of 
attack cannot be carried out.

        That is the solution to this type of problem.  That is where 
Internet Explorer (and conversely, Microsoft and many other 
companies) 
has failed.  I don't think that it's one bug that's changing anyone's 
mind - rather, it's the history of bugs and lack of attention that's 
plagued people.

        I don't mean any disrespect saying this - it's just my 
perspective.  I agree with the majority of what you've said, in 
generalization -- but, in specificity, I tend to disagree, 
err - if that 
makes sense. :)

                    -Barry

     




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-Disclosure] RE: Misinformation on Scob/MSJect Corrected CORRECTION, Drew Copley
Next by Date:  RE: [Full-Disclosure] (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs, Drew Copley
Previous by Thread:  RE: [Full-Disclosure] (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs, Drew Copley
Next by Thread:  RE: [Full-Disclosure] (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs, Drew Copley
Indexes:  [Date] [Thread] [Top] [All Lists]