funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: standards status in the industry - opinion?

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Mon, 09 Jan 2006 00:35:56 +1300
Blue Boar wrote:


Whitelisting would be a huge help.

But we're a little too far down the scripting language & executable data 
format path to completely solve the problem.


I disagree, but concede that solving some of our current problems will 
not be easy...


For example, you can't be a standards compliant browser at this point 
without supporting an executable data format.


So, you're saying that just because a bunch of morons designed 
something utterly brokenly (from a security perspective) from the 
outset _AND_ that much of the world "enjoys" the flexibility this 
approach has allowed (or is just too damned ill-informed or otherwise 
stupid to know any better), THAT informed security professionals (and 
others) should not try to get such gross stupidity fixed?

Look, we did it (OK, well have helped achieve a greater level of turn-
around than many thought possible) with Microsoft and its shitty OS and 
general company attitude of "Security?  What _is_ security?", so why 
shouldn't we be able to get web browsers fixed by making the HTML 
standard marginally sane?

...

And this is somewhat secondary anyway, for most/all script-based 
browser exploits _still_ have to drop some or other identifiably 
"executable" code (be it a binary or a file-based script or a file-
based macro or a file-based <whatever>) to do the bulk of the actual 
nastiness, and the whitelisting-based, integrity enforcement will 
_still_ stop the "payload" of the attack, even if their browser is 
vulnerable.  With known virus scanning you have to hope like hell that 
either your virus scanner has a good enough, generic enough (without 
raising silly FPs) detection of the browser exploit and will stop it 
(or at least alert you things have gone pear-shaped) as the bad 
HTML/script is written to the local browser cache OR that it already 
detects whatever it is that is dropped/further executes, etc (which 
increasingly, it doesn't).

Such a whitelisting approach then _mainly_ only leaves you vulnerable 
to arbitrary code execution through buffer overflows and the like and 
other forms of mitigation (reducing exposed services, developer 
education, improvements in compiler and runtime execution checks, 
DEP/NX/etc, and so on) are available to varying degrees for those.


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: