Full Disclosure mailing list archives
Re: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code
From: Pilon Mntry <pilonmntry () yahoo com>
Date: Sun, 26 Mar 2006 21:58:10 -0800 (PST)
of creating a full-featured browser, from scratch, with usability as good as IE and Firefox strikes me as a fairly tricky project.
I agree.
What about using the facilities already provided by the OS to enforce the sandbox?
But then will it be possible to prevent buffer overflows, still running on unmanaged code? Very nice points by Dinis, esp. the one about the "advantages" of using our boxes with less privileges (for internet browsing). -pilon --- Brian Eaton <eaton.lists () gmail com> wrote:
On 3/25/06, Dinis Cruz <dinis () ddplus net> wrote:4) Finally, isn't the solution for the creation ofsecure andtrustworthy Internet Browsing environments thedevelopment of browserswritten in 100% managed and verifiable code, whichexecute on a secureand very restricted Partially TrustedEnvironments? (under .Net, Mono orJava). This way, the risk of buffer overflows willbe very limited, andwhen logic or authorization vulnerabilities arediscovered in this'Partially Trusted IE' the 'Secure PartiallyTrusted environment' willlimit what the malicious code (i.e. the exploit)can do. I am less than enthusiastic about most of the desktop java applications I use. They are, for the most part, sluggish, memory gobbling beasts, prone to disintegration if I look at them cross-eyed or click the mouse too frequently. Usability problems with java applications are not necessarily due to managed code, of course, but the idea of creating a full-featured browser, from scratch, with usability as good as IE and Firefox strikes me as a fairly tricky project. What about using the facilities already provided by the OS to enforce the sandbox? Rather than scrapping the existing codebases, start running them with restricted rights. Use mandatory access control systems to make sure the browser doesn't overstep its bounds. Regards, Brian
-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Dinis Cruz (Mar 25)
- RE: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Jeff Williams (Mar 25)
- Re: [Owasp-dotnet] RE: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Dinis Cruz (Mar 26)
- Re: Re: [Owasp-dotnet] RE: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Joe Ciechanowski (Mar 31)
- Message not available
- Re: Re: [Owasp-dotnet] RE: 4 Questions: Latest IEvulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Saqib Ali (Mar 31)
- Re: [Owasp-dotnet] RE: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Dinis Cruz (Mar 26)
- RE: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Jeff Williams (Mar 25)
- Re: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Brian Eaton (Mar 25)
- Re: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Pilon Mntry (Mar 26)
- Re: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Christopher Bergström (Mar 27)
- Re: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Brian Eaton (Mar 27)
- Re: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Pavel Kankovsky (Mar 27)
- Re: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Brian Eaton (Mar 27)
- Re: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Pavel Kankovsky (Mar 28)
- Re: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Brian Eaton (Mar 29)
- Re: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Pilon Mntry (Mar 26)