Post #169,880
8/18/04 1:29:40 PM
8/18/04 4:12:22 PM
|
Sheeesh. Already. Egads. No suprise really. (edited link)
[link|http://slashdot.org/article.pl?sid=04/08/17/2315255|SP2 for Windows XP isn't as secure as Microsoft touts]
/. article, but has the links in it.
FSCKING WILL IT EVER STOP????
err depending on how you look at it
FSCKING WILL IT EVER BEGIN????
-- [link|mailto:greg@gregfolkert.net|greg], [link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwetheyNo matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]Here is an example: [link|http://www.greymagic.com/security/advisories/gm001-ie/|Executing arbitrary commands without Active Scripting or ActiveX when using Windows]
Edited by folkert
Aug. 18, 2004, 04:12:22 PM EDT
|
Post #169,881
8/18/04 1:30:49 PM
|
More from the book of "DUH!"
|
Post #169,882
8/18/04 1:34:40 PM
|
Got an error on that link...
[link|http://slashdot.org/article.pl?sid=04/08/17/2315255|Corrected link].
-YendorMike
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
- Benjamin Franklin, 1759 Historical Review of Pennsylvania
|
Post #169,888
8/18/04 1:41:49 PM
|
thanx, works
These miserable swine, having nothing but illusions to live on, marshmallows for the soul in place of good meat, will now stoop to any disgusting level to prevent even those miserable morsels from vanishing into thin air. The country is being destroyed by these stupid, vicious right-wing fanatics, the spiritual brothers of the brownshirts and redstars, collectivists and authoritarians all, who would not know freedom if it bit them on the ass, who spend all their time trying to stamp, bludgeon, and eviscerate the very idea of the individual's right to his own private world. DRL
questions, help? [link|mailto:pappas@catholic.org|email pappas at catholic.org]
|
Post #169,887
8/18/04 1:40:57 PM
|
link gets me blank page mozz on winders
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624
thanx,
bill
These miserable swine, having nothing but illusions to live on, marshmallows for the soul in place of good meat, will now stoop to any disgusting level to prevent even those miserable morsels from vanishing into thin air. The country is being destroyed by these stupid, vicious right-wing fanatics, the spiritual brothers of the brownshirts and redstars, collectivists and authoritarians all, who would not know freedom if it bit them on the ass, who spend all their time trying to stamp, bludgeon, and eviscerate the very idea of the individual's right to his own private world. DRL
questions, help? [link|mailto:pappas@catholic.org|email pappas at catholic.org]
|
Post #169,936
8/18/04 5:05:21 PM
|
About the first of those "two flaws"
$ cat evil.gif
echo "Gotcha!"
$ bash evil.gif
Gotcha!
$
--
Chris Altmann
|
Post #169,949
8/18/04 5:36:31 PM
|
Only as
Root could that have a problem on a unix/linux/bsd machine.
On Windows... regular users can do it and have a critical problem.
-- [link|mailto:greg@gregfolkert.net|greg], [link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwetheyNo matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]Here is an example: [link|http://www.greymagic.com/security/advisories/gm001-ie/|Executing arbitrary commands without Active Scripting or ActiveX when using Windows]
|
Post #169,957
8/18/04 6:07:14 PM
|
But
My script could plant a trojan su and prepend the path and wait for the user to go root to do its dirty work, or maybe a trojan gui su for the modern desktop.
And there is plenty of nastiness one can do as a *nix desktop user (Send mail, spyware, erase/harvest valuable information). Block all outgoing ports and you'll have a list of "broken" apps as long as the one being trumpeted re SP2.
There has been a push in the Windows dev community to get developers to make their apps non-admin account friendly. I was under the impression that SP2 made this somewhat easier but I could be conflating that with stuff promised for Longhorn. There is definitely a single user OS legacy to shed there.
--
Chris Altmann
|
Post #170,020
8/18/04 11:16:57 PM
|
Way... WAY more trickey.
Why goto the trouble, when you get windows and no other work.
Also, MOST(99%) users do not get root on their machine.
Now if the user runs as root... Well, It has always been rec'd to not use root.
It still will have Single User legacy for as long as they KEEP this codebase.
-- [link|mailto:greg@gregfolkert.net|greg], [link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwetheyNo matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]Here is an example: [link|http://www.greymagic.com/security/advisories/gm001-ie/|Executing arbitrary commands without Active Scripting or ActiveX when using Windows]
|
Post #170,433
8/20/04 11:28:33 AM
|
Remote exploit proof of concept
[link|http://www.theregister.co.uk/2004/08/20/sp2_scripting_vuln/|http://www.theregist...2_scripting_vuln/] The vulnerability allows malicious websites to place an executable file in a user's start-up folder when a user drags or clicks on a program masqueraded as an image. http-equiv of malware.com, a so-called White Hat hacker, has posted a sample exploit which demonstrates security weaknesses in the drag and drop function of IE that give rise to the exploit.
Even though this demo depends on the user performing a drag and drop event, it might be rewritten so a user need only perform a single click on an image instead, according to security firm Secunia. That didn't take long. Regards,
-scott anderson
"Welcome to Rivendell, Mr. Anderson..."
|
