Re: What are the 'Real World' security advantages of the.Net Framework and the JVM?

["Dinis Cruz" <dinis () ddplus net>]

As Dino said, most Internet Explorer browsers today will silently execute .Net assemblies in a .Net Sandbox set to 
'Default' (unless the default CAS policy has been changed/corrupted or an exploit is used to trick IE to think that the 
assembly is comming from the local computer and give it Full Trust).

 This means that if there is a way to jump out of Partial Trust via a vulnerabiltiy in the CLR or BCL (i.e. the .Net 
Framwork) then a very serious exploit could be created which would give an attacker automatic full control over the 
infected user's session.

 Based on my experience with the .Net Framework so far, I do believe that there are vulnerabilities similar to the ones 
that have been found in Java which will allow such exploits to exits, but as far as I know there are no known (outside 
Microsoft probably) examples of these vulenerabilities. Note that I have no proof of this statement (yet) but it is 
very worrying the lack of research and focus that this area has receveived over the last 5 years.

 Which is why Florian's comment were quite interresting.

 Florian, what do you mean by 'untrusted CLI byte code'?

 Do you mean code which we don't known where I came from (which btw, is 99% of the code we execute in our boxes) or do 
you mean code that is able to exploit the CLR and jump out of the Sandbox?

 Dinis Cruz

----------------------------------------
From: "Dino A. Dai Zovi" <ddz () theta44 org>
Sent: 03 November 2005 11:18
To: Florian Weimer <fw () deneb enyo de>
Subject: Re: [Dailydave] What are the 'Real World' security advantages of the.Net Framework and the JVM? 

It is not just rumor, but fact :). It is called "Zero-Touch 
Deployment" and Internet Explorer sniffs a downloaded .exe to detect 
whether it is a .NET application, and if so, it will try and run it 
automatically. You run in a "partially trusted" context that is 
roughly analogous to the java applet sandbox. You can easily use 
WinForms to open windows, etc, and even store persistent data in 
Isolated Storage, but not much else. Kinda fun to play with.

Cheers,

-Dino

On Nov 2, 2005, at 3:56 PM, Florian Weimer wrote:

> * Edward Ray:
>
> > .NET Security is an oxymoron, IMHO. If anyone has a different 
> > take on this
> > topic that is has not partaken of the Microsoft Kool-Aid on this 
> > subject, I
> > would appreciate enlightenment.
>
> There are rumors that Internet Explorer on .NET-enabled systems can
> download and execute untrusted CLI bytecode, without user
> confirmation. (By design, not as a bug, just like Java applets.)
> This means that some bytecode verifier and security manager is still
> needed. I couldn't find definite documentation on the subject,
> though.
>
> However, it seems that .NET does not put as much emphasis on mobile
> code as Java, so these components are perhaps not *that* important.