A German security company says it found minor problems in Windows XP Service Pack 2. Researchers predict more critical issues will emerge.
"I'm positive that we will see critical flaws over the next few weeks, and worms that will circumvent SP2 features over the next few months," [Larholm] said.
And in other news, typing rm -rf from the root command line in linux has negative consequences. If you want to be secure, disable access to cmd in the user policies.1. The cmd Issue
Description
The command shell cmd.exe ignores the ZoneID of files. The command
cmd /c evil.exe
executes the file evil.exe without warning, regardless of its ZoneID.
The only "problems" here is that the user can hurt themselves. The OS can't prevent against social engineering. Although, yes, this is in fact a bug. I'll give you that.2. Windows Explorer caching of ZoneIDs
Description
Windows Explorer caches the result of ZoneID lookups. If a file is overwritten, Explorer does not properly update this cached information to reflect the new ZoneID. This allows spoofing of trusted or non-existant ZoneIDs by overwriting files with trusted or non-existent ZoneIDs.
....
Exploiting this issue requires the ability to overwrite existing files which have a trusted or non-existant ZoneID. Right now there is no known way to achieve this in an attack mounted from the Internet.
Research before you post -- try thisTetrad wrote:And in other news, typing rm -rf from the root command line in linux has negative consequences. If you want to be secure, disable access to cmd in the user policies.1. The cmd Issue
Description
The command shell cmd.exe ignores the ZoneID of files. The command
cmd /c evil.exe
executes the file evil.exe without warning, regardless of its ZoneID.
But the thing is, they're complaining about a warning dialog box that doesn't pop up from cmd. Oh no.
What that certainly is interesting.Grendel wrote:Research before you post -- try this
I suggest you both edit your posts before some poor fool actually clicks that link and does something with it. Not all of the peeps that read this BBS are computer savvy ...Tetrad wrote:What that certainly is interesting.Grendel wrote:Research before you post -- try this
Yet another reason to use Firefox: it doesnt render that correctly!Tetrad wrote:What that certainly is interesting.Grendel wrote:Research before you post -- try this
heh, it seems that bleh.com is a real site.Vindicator wrote:Yet another reason to use Firefox: it doesnt render that correctly!Tetrad wrote:What that certainly is interesting.Grendel wrote:Research before you post -- try this
It's not the rendering. It's the fact that the executable runs itself from cmd. Still, people who would actually do that sort of thing are stupid, so my point still stands.Vindicator wrote:Yet another reason to use Firefox: it doesnt render that correctly!Tetrad wrote:What that certainly is interesting.Grendel wrote:Research before you post -- try this
I'd agree if you change that to computer-stupid. Lately I met a some really smart people that just never did anything even remotely w/ computers before and helped them out to get online. I looked away for 1/2hr at the beginning and in a flash I'd to remove 5 different worms.. Kind of enlightened me why so many machines on the net are virus/worm infested.Tetrad wrote:Still, people who would actually do that sort of thing are stupid, so my point still stands.
Most people just don't care. Hell, at the game company I work at, which some people would argue would be the most computer savvy place you could be (game dev places in general), I still have to clear off a coworker's computer that had all this crap tied in with IE and other rogue processes. We even had to ask people company wide to start using virus scanners since there was stuff bogging down our already-slow internet connection. These people know computers but as far as they can tell, unless it bothers them directly, it's unimportant.Grendel wrote:Kind of enlightened me why so many machines on the net are virus/worm infested.
I normally wouldn't have been that harsh but I had to make her remember as she's 14 ... has the attention span of a gold fish. 
