flat assembler
Message board for the users of flat assembler.

Index > Heap > Vista and Internet Explorer security rendered useless

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
drhowarddrfine



Joined: 10 Jul 2007
Posts: 535
drhowarddrfine
Link
Quote:
By taking advantage of the way that browsers, specifically Internet Explorer, handle active scripting and .NET objects, the pair have been able to load essentially whatever content they want into a location of their choice on a user's machine.


InfoWorld says:
Quote:
In light of the new Windows flaws announced yesterday, I think it's time to reiterate a point I made a long time ago: It's time for Microsoft to dump Windows.
Post 10 Aug 2008, 01:32
View user's profile Send private message Reply with quote
TmX



Joined: 02 Mar 2006
Posts: 821
Location: Jakarta, Indonesia
TmX
drhowarddrfine wrote:

In light of the new Windows flaws announced yesterday, I think it's time to reiterate a point I made a long time ago: It's time for Microsoft to dump Windows.


And how would that be possible ?
Laughing
Post 10 Aug 2008, 07:23
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
The blurb is pretty sensationalist, and doesn't have enough information that you can judge the severity of this thing.

I remember when the "shatter" attacks were discovered by foon (heh, only several years after documented elsewhere), and people were all "OMFG THIS IS LIKE UNFIXABLE!" et cetera. I showed a (stopgap, admitted) way of fixing the particular exploit, and Microsoft later on fixed this unfixable flaw generically.

Not saying this can't be a serious problem, but I'm really tired of people crying wolf and inducing hysteria.
Post 10 Aug 2008, 15:51
View user's profile Send private message Visit poster's website Reply with quote
drhowarddrfine



Joined: 10 Jul 2007
Posts: 535
drhowarddrfine
TmX wrote:
drhowarddrfine wrote:

In light of the new Windows flaws announced yesterday, I think it's time to reiterate a point I made a long time ago: It's time for Microsoft to dump Windows.


And how would that be possible ?
Laughing
The same way Apple did it when they changed to a Unix based OS.
Post 10 Aug 2008, 16:23
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
BSD/Mach/NeXTSTEP based, not unix per se.

And why on earth would MS dump the tried-and-tested secure NT kernel? If they need to do anything, it's fixing up the win32 side of things. Standard UNIX is inferior til NT, really, feature and security wise Smile
Post 10 Aug 2008, 16:29
View user's profile Send private message Visit poster's website Reply with quote
drhowarddrfine



Joined: 10 Jul 2007
Posts: 535
drhowarddrfine
Unix runs circles around NT and spits in its face.
Post 10 Aug 2008, 17:30
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
drhowarddrfine wrote:
Unix runs circles around NT and spits in its face.
As if.

Wonder why unices have started backporting ACLs from NT? (Which, yeah, in turn, came from VMS). UNIX mentality is outdated crap... too bad the Win32 layer is discoherent and application-level coders tend to suck (but hey, they suck on all OSes).

_________________
Image - carpe noctem
Post 10 Aug 2008, 17:37
View user's profile Send private message Visit poster's website Reply with quote
comrade



Joined: 16 Jun 2003
Posts: 1137
Location: Russian Federation
comrade
Let's not turn this into another OS war.

It is a well-known fact NT is better than Unix/Linux/BSD. Let's stop arguing. Period.
Post 11 Aug 2008, 00:44
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2914
Location: [RSP+8*5]
bitRAKE
f0dder wrote:
BSD/Mach/based, not unix per se.

And why on earth would MS dump the tried-and-tested secure NT kernel? If they need to do anything, it's fixing up the win32 side of things. Standard UNIX is inferior til NT, really, feature and security wise Smile
Hehe, yeah NeXTStep is a huge leap for Apple. Almost like Steve Jobs wanted it all along.

_________________
¯\(°_o)/¯ unlicense.org
Post 11 Aug 2008, 01:10
View user's profile Send private message Visit poster's website Reply with quote
drhowarddrfine



Joined: 10 Jul 2007
Posts: 535
drhowarddrfine
comrade wrote:
Let's not turn this into another OS war.

It is a well-known fact NT is better than Unix/Linux/BSD. Let's stop arguing. Period.
A typical comment by a mindless point-and-clicker. Microsoft software is the most insecure software in the world and BSD/Linux spits in its face. Microsoft is a chlid's toy. Real work is done on real OSes and Microsoft need not apply and that's the rule of the world, not amateurs. If you aren't using Linux/BSD, then you are wide open to excpenses and vulnerabilities. You lose.

It's hilarious that despite in-your-face problems as shown in the link, amateurs jump on board and say Microsoft has more secure systems. How ridiculous. How blatantly blind can you be.
Post 11 Aug 2008, 02:21
View user's profile Send private message Reply with quote
drhowarddrfine



Joined: 10 Jul 2007
Posts: 535
drhowarddrfine
bitRAKE wrote:
Hehe, yeah NeXTStep is a huge leap for Apple. Almost like Steve Jobs wanted it all along.
Another example of a comment by a point/clicker who knows absolutely nothing about what he's talking about and has to pull up a video from many, many years ago to prove some unknown pathetic point. Quit making a fool of yourself when you don't even know what you're looking at.
Post 11 Aug 2008, 02:25
View user's profile Send private message Reply with quote
drhowarddrfine



Joined: 10 Jul 2007
Posts: 535
drhowarddrfine
f0dder wrote:

Wonder why unices have started backporting ACLs from NT? (Which, yeah, in turn, came from VMS).
Oh! So it's NOT from NT. In fact, I wonder why NT is copying from VMS? I didn't think you would make such a stupid comment fodder.
Quote:
UNIX mentality is outdated crap...
Outdated? I guess you don't even know that it's under constant development? I guess you don't know too much.
Quote:
too bad the Win32 layer is discoherent
While saying Unix is bad you also say Win32 is bad?! Who is calling the kettle black?!
Post 11 Aug 2008, 02:29
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Quote:

Hehe, yeah NeXTStep is a huge leap for Apple. Almost like Steve Jobs wanted it all along.

I liked very much the file browser Smile
Post 11 Aug 2008, 03:06
View user's profile Send private message Reply with quote
comrade



Joined: 16 Jun 2003
Posts: 1137
Location: Russian Federation
comrade
drhowarddrfine wrote:
Oh! So it's NOT from NT. In fact, I wonder why NT is copying from VMS?


Because the leader of the NT project was a lead developer of VMS at DEC as well?

_________________
comrade (comrade64@live.com; http://comrade.ownz.com/)
Post 11 Aug 2008, 04:37
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2914
Location: [RSP+8*5]
bitRAKE
drhowarddrfine wrote:
bitRAKE wrote:
Hehe, yeah NeXTStep is a huge leap for Apple. Almost like Steve Jobs wanted it all along.
Another example of a comment by a point/clicker who knows absolutely nothing about what he's talking about and has to pull up a video from many, many years ago to prove some unknown pathetic point. Quit making a fool of yourself when you don't even know what you're looking at.
The video was entertaining. I really don't feel I need to defend my comment. Nor do I feel like a fool for not educating you. Sorry, to pollute your thread, but it is severely lacking in content. Unknown and pathetic - you're really trying hard, lol.

_________________
¯\(°_o)/¯ unlicense.org
Post 11 Aug 2008, 05:19
View user's profile Send private message Visit poster's website Reply with quote
Kenneth



Joined: 16 Nov 2005
Posts: 38
Location: United States of America
Kenneth
drhowarddrfine wrote:
bitRAKE wrote:
Hehe, yeah NeXTStep is a huge leap for Apple. Almost like Steve Jobs wanted it all along.
Another example of a comment by a point/clicker who knows absolutely nothing about what he's talking about and has to pull up a video from many, many years ago to prove some unknown pathetic point. Quit making a fool of yourself when you don't even know what you're looking at.


Coming from the same guy who provides a link to an article whose bias is only surpassed by your own. The only "evidence" you've provided for anything besides that horrible article is your own repetitive comments having to do with spit.
Post 11 Aug 2008, 06:49
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
r22
So, all I have to do is disable Active Scripting in my browser and Vista becomes secure again.

Clicking a check box nullifies this huge exploit, I MUST BE A COMPUTER SECURITY GENIUS! I came up with the first workaround to a vaporware exploit.

@drhowarddrfine
I seriously hope you are joking around. If not, I'd like to take my time-machine and come visit you in the 1980s we can debate how punch cards make programs more secure Very Happy Very Happy Very Happy
Post 11 Aug 2008, 12:17
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
drhowarddrfine wrote:
Microsoft software is the most insecure software in the world and BSD/Linux spits in its face.
Perhaps you should take a look at the exploit history of big *U*X software like BIND? Smile

drhowarddrfine wrote:
If you aren't using Linux/BSD, then you are wide open to excpenses and vulnerabilities. You lose.
I think "wide open" is overdramatizing things a bit. If you're behind a NAT or use a firewall (too bad one wasn't included with windows by default until XP SP2) you're pretty safe, unless you blindly click links and run "pamela anderson nude.exe". And if you run with a limited user account, well...

drhowarddrfine wrote:
Oh! So it's NOT from NT. In fact, I wonder why NT is copying from VMS? I didn't think you would make such a stupid comment fodder.
I say NT ACLs simply because NT is the most wide-spread system using ACLs. And obviously Dave Cutler brought along ACLs when Microsoft hired him to do NT, it would be retarded to not to.

drhowarddrfine wrote:
f0dder wrote:
UNIX mentality is outdated crap...
Outdated? I guess you don't even know that it's under constant development? I guess you don't know too much.
All the big OSes are under constant development, but *U*X is still centered around rigid user/group permissions, many apps still fork() and use a process-per-client instead of proper threading, and lack of consistancy between distributions.

drhowarddrfine wrote:
f0dder wrote:
too bad the Win32 layer is discoherent
While saying Unix is bad you also say Win32 is bad?! Who is calling the kettle black?!
Not really. Just because I generally think Windows is a fine OS (and the NT kernel is superior to OSX/BSD/Linux), that doesn't mean there aren't problems with the system. Win32 is by no means perfect, it's win16 legacy shows, and the individual subsystems aren't super coherent because they're designed by different teams.

I could program for the NT Native or POSIX subsystem on Windows if I wanted to, or I could even (theoretically) cook up my own subsystem... Win32 isn't that bad, though.

Now, I probably wouldn't set up a Windows server, simply because I like SSH administration and I'm a cheapskate (server licenses are costly) - but I wouldn't refrain from doing so because of security concerns. Follow the same routines you do with any OS: disable unnecessary services, set up a firewall, and limit the credentials services run with.
Post 11 Aug 2008, 15:35
View user's profile Send private message Visit poster's website Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
As expected, the sky isn't falling. Unfortunate that ASLR is defeated, but IE sandbox and UAC aren't, so it's not that big a fuzz after all.

So, fix up Flash and JAVA to work with DEP and ASLR, fix up the remaining parts of IE (and FireFox...) that breaks DEP...

_________________
Image - carpe noctem
Post 11 Aug 2008, 16:54
View user's profile Send private message Visit poster's website Reply with quote
drhowarddrfine



Joined: 10 Jul 2007
Posts: 535
drhowarddrfine
Quote:

All the big OSes are under constant development, but *U*X is still centered around rigid user/group permissions, many apps still fork() and use a process-per-client instead of proper threading, and lack of consistancy between distributions.

So you want security but you don't want to have to protect anything? You'd rather do it Microsoft's way with its great track record? And what do apps have to do with the OS? Still, you don't have to fork. And threads run great. You are starting to make me question how aware you are. And when you talk of distributions you must be talking Linux. Linux and their multiple distributions is an issue for me but I'd rather run my business on Unix. I'd rather run my business on Linux, though, than Windows. (And, in fact, I mostly run on FreeBSD).

Secunia reports Windows has far more probems than any other OS and Internet Explorer has more vulnerabilities than all other browsers combined.
Post 12 Aug 2008, 01:28
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.