Microsoft does it again

ReK2WiLdS rek2 at linuxbusca.com
Tue Aug 6 15:27:26 EDT 2002 

I agree with Bill.... 100% no excuses.

rek2


On Tuesday 06 August 2002 16:22, Bill Bogstad wrote:
> Derek Kramer wrote:
>
> On Tue, 6 Aug 2002, Derek D. Martin wrote:
> >> If you're relying on Windows privileges to secure your network, you're
> >> basically screwed.  A whitepater was released today detailing how to
> >> gain localsystem privileges on any Win32-based platform.  And the
> >> kicker is, because it takes advantage of a fundamental flaw in the
> >> design of Windows, it's basically unpatchable, requiring a complete
> >> overhaul of the Windows messaging system to fix.
> >>
> >> And the best part is, if you're providing terminal services via a
> >> Citrix server, anyone can own your server, and you'll never be able to
> >> stop them...
> >>
> >>   http://security.tombom.co.uk/shatter.html
> >
> >I read this in detail, and I hate to admit that I agree with Microsoft.
> >Once bad people are sitting logged onto your machine, you should already
> >considered it compromised, regardless of what techniques the bad person
> >has at their disposal.
>
> So a command line overflow exploit in a setuid-root ps binary on a
> UNIX machine is unimportant because you shouldn't ever let 'bad
> people' have a login on your machine?  I thought security was about
> being able to limit the resources that a user could access on a
> machine even when they had some level of legal access.  You seem to be
> advocating a security model of 'good' and 'bad' users where 'good
> users' can do anything and 'bad users' can do nothing.  Maybe you
> missed the part where this worked via terminal services as well.  You
> don't need physical access, apparently you only need the equivalent of
> a UNIX login.  I believe that any operating system vendor who claims
> that something isn't a security issue because you have to have some
> level of valid access to exploit it should be condemmed. PERIOD.
>
> 				Bill Bogstad
> 				bogstad at pobox.com
>
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://www.blu.org/mailman/listinfo/discuss

More information about the Discuss mailing list