 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
On Tue, 6 Aug 2002, Ben Jackson wrote: > Techincally, if I read it right, it is not Microsoft's fault completely. > MSFT is definitely at fault for providing a easy conduit for this to > happen, but isn't the problem with the AV scanner he is telling to run his > code? All he is doing is feeding some shellcode to a program that is > running as "root". Running a program with a privliged account that is > directly accessible to the user like that is bad. > > (For example, Norton Corp Ed. has a engine running as LocalSystem, but the > UI is running as the account logged in, IIRC) [SIDE NOTE- Please trim your quotes and post underneath them.] No, M$FT is at fault because they designed the protocol to not have the identifier of the sender in it. In the letter, the M$FT dude talks about how it's the responsibility of the application to decide whether it will ignore or process messages, but the M$FT messaging protocol has so From: field, so there's no way for the application to know if the request is legit or not. His defense is totally bogus.
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
