Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Tim Brown (tmb65535.com)
Date: Mon Sep 17 2007 - 07:43:35 CDT
On Monday 17 September 2007 13:26:36 Roger A. Grimes wrote:
> I'm sorry, we'll have to agree to disagree. I don't see the new attack
> vector here. I, the attacker, have to make you download my malicious
> trojan program, which you install on your computer.
Irrespective of the rest of what Roger says (which I agree with FTR), this bit
is simply wrong. Look at the PoC that has been made public:
It's not (just) about downloading malware gadgets. It's about exploiting
vulnerabilities *in* gadgets (the default gadgets in Vista, in the case of
the PoC). Essentially anywhere a gadget calls for example eval() on
untrusted data you *may* have a a problem.