Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Dan Kaminsky (dandoxpara.com)
Date: Fri Aug 27 2010 - 00:18:48 CDT
On Fri, Aug 27, 2010 at 1:06 AM, <paul.szabosydney.edu.au> wrote:
> Dan Kaminsky <dandoxpara.com> wrote:
> >> Badly setup desktops: do not "hide extensions", maybe view details
> >> (or list) not icons.
> > All that matters is defaults, and icons are way more powerful ...
> Those defaults are wrong, change them. Anyway, icons are shown
> with "view details".
I think you mean application types are shown with "view details". The
problem is, there's a couple dozen application types that are all code
execution equivalent by design. Do you know all of them? Why should a
> > The web browser and the email client are not designed to launch
> > arbitrary code. The desktop ... is.
> This attack may happen through the browser (UNC paths or somesuch).
> Any talk about USB sticks or desktops is bogus.
There's no path between IE and a UNC window that doesn't either security
prompt or raise an unadorned Explorer window to a remote share. I could see
an argument that the latter should prompt, given that it's a (by definition)
code execution context. But that's about it.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/