Microsoft does it again

David Kramer david at thekramers.net
Tue Aug 6 17:03:02 EDT 2002 

On Tue, 6 Aug 2002, Bill Bogstad wrote:
> David Kramer wrote:
> >On Tue, 6 Aug 2002, Bill Bogstad wrote:
> >> So a command line overflow exploit in a setuid-root ps binary on a
> >> UNIX machine is unimportant because you shouldn't ever let 'bad
> >> people' have a login on your machine?  I thought security was about
> >> being able to limit the resources that a user could access on a
> >> machine even when they had some level of legal access.  You seem to be
> >> advocating a security model of 'good' and 'bad' users where 'good
> >> users' can do anything and 'bad users' can do nothing.  Maybe you
> >> missed the part where this worked via terminal services as well.  You
> >> don't need physical access, apparently you only need the equivalent of
> >> a UNIX login.  I believe that any operating system vendor who claims
> >> that something isn't a security issue because you have to have some
> >> level of valid access to exploit it should be condemmed. PERIOD.
> >
> >OK, I should have been more explicit.  When you have a bad person sitting 
> >in front of you WINDOWS computer, is what I meant.
> 
> I'm afraid I don't follow you.  The article clearly states that this
> is exploitable even if you don't have physical access to the computer.
> All you need is logical (Window's terminal server) access.  I agree
> that physical access to the unit actually implementing the security
> system means all bets are off.  Although what that means is subject
> to discussion.  I don't think keyboard/mouse/monitor access is sufficient.
> If I put you on the other end of long cables without access to the actual
> CPU box that shouldn't automatically give you any more privileges then
> if your access is via a network card.  

You're right, I always think of Windows as only being accessible while 
sitting in front of it, because that's the only way I've ever used it.

----------------------------------------------------------------------------
DDDD   David Kramer         david at thekramers.net       http://thekramers.net
DK KD       "The water was not fit to drink.
DKK D       To make it palatable, we had to add whiskey.
DK KD       By diligent effort, I learned to like it."
DDDD                                     - Sir Winston Churchill (1874-1965)

More information about the Discuss mailing list