Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Thor (Hammer of God) (thorhammerofgod.com)
Date: Tue Dec 07 2010 - 13:17:24 CST
>On Tue, 07 Dec 2010 07:16:34 EST, Larry Seltzer said:
>> >>> 2. some interpret it as a feature and some as a bug?
>> > Does it have to be either?
>> It sounds to me as if this is a deliberate design decision, and people
>> are disagreeing over the severity of its implications.
>Some people refer to that as a "feee-tchure" or "Broken As Designed". It's
>technically not a bug, but it does violate the Principle of Least Surprise.
Or, some people (like Larry) don't have a hyperbolic approach to exploit vector details. I like Larry's approach, and consider it the most accurate comment thus far (including my own). Rather than actual white papers and references to M$ and "Exploder," this entire "vector" can be summarized in one sentence:
If you are running Vista+, and are on a domain, and have not altered the PM defaults, and if you have an unpatched vulnerability in IE that allows an attacker to remotely install a web service that runs on localhost and redirects your browser to that service, and the vulnerability is capable of being re-exploited, then the web service code could launch other code that runs in the Intranet zone with associated security settings that would run in the context of the local user.
It could even be shorted to: The Intranet Zone has Protected Mode disabled, Internet zone does not. If you are worried about your domain users being exploited by unknown vulnerabilities that could be launched in the Intranet zone, then add localhost to your restricted zone. Since they are on a domain, this is a trivial task.
Is this where the industry is now? If I wrote a similar white paper that applied to open source products and posted it here, I would be appropriately ridiculed off the list. I'll actually take this as a sign of progress - when the only way Guninski can get his "M$ Exploder" comments in is to reference other people's research-in-the-obvious and have something so trite be referred to as "Broken by Design" then it proves two things: Security is getting better, and people could not care less.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/