Security Basics mailing list archives
Re: [WEB SECURITY] Re: Minimal User Interaction with Links
From: "Steven M. Christey" <coley () linus mitre org>
Date: Fri, 14 Aug 2009 17:11:20 -0400 (EDT)
On Fri, 14 Aug 2009, Micheal Espinola Jr wrote:
Under normal circumstances, no, it is not possible in this day and age (i.e with an up-to-date OS) to automatically execute/save a file by clicking a link.
It's possible to do this automatically, without any user interaction, by referencing vulnerable ActiveX controls with insecure exposed methods with names like DownloadAndExecuteFile() (see CVE-2008-4586 for example). These types of issues are starting to show up fairly regularly in CVE. Very few researchers seem to be paying attention to Firefox plug-ins, but once they do, I expect to see similar results there, too. Theoretically it's within the browsers' security models to avoid the automatic save/execute of files, but browser bugs and the aforementioned plugin vulnerabilities mean that practically speaking, it's still possible. I assume the more knowledgeable Flash experts among us have their own suggestions. - Steve ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Minimal User Interaction with Links 51l3n73y3s (Aug 14)
- Re: Minimal User Interaction with Links Micheal Espinola Jr (Aug 14)
- Re: [WEB SECURITY] Re: Minimal User Interaction with Links Steven M. Christey (Aug 14)
- Message not available
- RE: [WEB SECURITY] Re: Minimal User Interaction with Links Schmidt, Chris (Aug 18)
- Re: [WEB SECURITY] Re: Minimal User Interaction with Links 51l3n73y3s (Aug 18)
- RE: [WEB SECURITY] Re: Minimal User Interaction with Links Schmidt, Chris (Aug 18)
- RE: [WEB SECURITY] Re: Minimal User Interaction with Links Vance, Michael (Aug 18)
- Re: [WEB SECURITY] Re: Minimal User Interaction with Links 51l3n73y3s (Aug 18)
- Re: [WEB SECURITY] Re: Minimal User Interaction with Links Bil Corry (Aug 18)
- Re: [WEB SECURITY] Re: Minimal User Interaction with Links 51l3n73y3s (Aug 18)
- Re: [WEB SECURITY] Re: Minimal User Interaction with Links Steven M. Christey (Aug 14)
- Re: Minimal User Interaction with Links Micheal Espinola Jr (Aug 14)