funsec mailing list archives
Re: standards status in the industry - opinion?
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Mon, 09 Jan 2006 00:35:56 +1300
Blue Boar wrote:
Whitelisting would be a huge help. But we're a little too far down the scripting language & executable data format path to completely solve the problem.
I disagree, but concede that solving some of our current problems will not be easy...
For example, you can't be a standards compliant browser at this point without supporting an executable data format.
So, you're saying that just because a bunch of morons designed something utterly brokenly (from a security perspective) from the outset _AND_ that much of the world "enjoys" the flexibility this approach has allowed (or is just too damned ill-informed or otherwise stupid to know any better), THAT informed security professionals (and others) should not try to get such gross stupidity fixed? Look, we did it (OK, well have helped achieve a greater level of turn- around than many thought possible) with Microsoft and its shitty OS and general company attitude of "Security? What _is_ security?", so why shouldn't we be able to get web browsers fixed by making the HTML standard marginally sane? ... And this is somewhat secondary anyway, for most/all script-based browser exploits _still_ have to drop some or other identifiably "executable" code (be it a binary or a file-based script or a file- based macro or a file-based <whatever>) to do the bulk of the actual nastiness, and the whitelisting-based, integrity enforcement will _still_ stop the "payload" of the attack, even if their browser is vulnerable. With known virus scanning you have to hope like hell that either your virus scanner has a good enough, generic enough (without raising silly FPs) detection of the browser exploit and will stop it (or at least alert you things have gone pear-shaped) as the bad HTML/script is written to the local browser cache OR that it already detects whatever it is that is dropped/further executes, etc (which increasingly, it doesn't). Such a whitelisting approach then _mainly_ only leaves you vulnerable to arbitrary code execution through buffer overflows and the like and other forms of mitigation (reducing exposed services, developer education, improvements in compiler and runtime execution checks, DEP/NX/etc, and so on) are available to varying degrees for those. Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: standards status in the industry - opinion?, (continued)
- Re: standards status in the industry - opinion? Drsolly (Jan 07)
- Re: standards status in the industry - opinion? Matthew Murphy (Jan 07)
- Re: standards status in the industry - opinion? Gadi Evron (Jan 07)
- Re: standards status in the industry - opinion? Florian Weimer (Jan 07)
- Re: standards status in the industry - opinion? Drsolly (Jan 07)
- Re: standards status in the industry - opinion? Florian Weimer (Jan 07)
- Re: standards status in the industry - opinion? Drsolly (Jan 07)
- Re: standards status in the industry - opinion? Drsolly (Jan 07)
- Re: standards status in the industry - opinion? Nick FitzGerald (Jan 07)
- Re: standards status in the industry - opinion? Blue Boar (Jan 07)
- Re: standards status in the industry - opinion? Nick FitzGerald (Jan 08)
- Re: standards status in the industry - opinion? Blue Boar (Jan 08)
- Re: standards status in the industry - opinion? Drsolly (Jan 08)
- Re: standards status in the industry - opinion? Blue Boar (Jan 08)
- RE: standards status in the industry - opinion? Stephen Villano (Jan 08)
- RE: standards status in the industry - opinion? Drsolly (Jan 08)
- RE: standards status in the industry - opinion? Nick FitzGerald (Jan 08)
- Re: standards status in the industry - opinion? Nick FitzGerald (Jan 08)
- Re: standards status in the industry - opinion? Barrie Dempster (Jan 08)
- Re: standards status in the industry - opinion? Nick FitzGerald (Jan 08)
- Re: standards status in the industry - opinion? Barrie Dempster (Jan 08)