-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 5 Jul 2006 05:10:09 +0100,
Mark Kent <mark.kent@xxxxxxxxxxx> wrote:
> begin oe_protect.scr
> Jim Richardson <warlock@xxxxxxxxxx> espoused:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On Tue, 4 Jul 2006 16:16:25 -0500,
>> Erik Funkenbusch <erik@xxxxxxxxxxxxxxxxxxxxxx> wrote:
>>> On Tue, 4 Jul 2006 11:29:43 -0700, Jim Richardson wrote:
>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> On Tue, 4 Jul 2006 09:51:41 -0500,
>>>> Erik Funkenbusch <erik@xxxxxxxxxxxxxxxxxxxxxx> wrote:
>>>>> On Mon, 03 Jul 2006 23:40:18 +0100, Roy Schestowitz wrote:
>>>>>
>>>>>> Load ActiveX Controls on Vista Without Administrator Privileges
>>>>>>
>>>>>> ,----[ Quote ]
>>>>>>| This seems like a bad idea to me:
>>>>>>|
>>>>>>| Microsoft is adding a brand-new feature to Windows Vista to
>>>>>>| allow businesses to load ActiveX controls on systems running without admin
>>>>>>| privileges.
>>>>>> `----
>>>>>>
>>>>>> http://www.schneier.com/blog/archives/2006/07/load_activex_co.html
>>>>>
>>>>> This is no worse than setuid. It requires an administrator to configure
>>>>> it, and to decide which controls will get loaded. Of course you'd rather
>>>>> just ignore that.
>>>>
>>>> yeah, setuid, which Linux and the *nix have been trying to gracefully
>>>> remove for quite some time, MS comes along and decides that such a
>>>> dangerous route is a good thing to initiate.
>>>>
>>>> 10 years late to the party, and MS think's it's "innovating" again?
>>>>
>>>> That's just what you need, ActiveX, combined with setuid... way to go
>>>> MS! the virus writers will love this one.
>>>
>>> Interesting, so you think Setuid is a security hole?
>>>
>>
>> I think it's a potential one yes, crack that binary, and if it's setuid
>> root, you're in, how is that not a potential hole?
>
> It's very well known indeed as a security hole. When installing
> packages, debian, by default, will /not/ install eg., svgalib or similar
> suid - you have to specifically request it, and when you do so, a dire
> warning is provided regarding the security risk.
>
> Isn't it just typical of MS that their new focus on security manages to
> find /yet another/ way of making windows insecure.
>
>>
>>
>>> I haven't noticed a reduciton in setuid use, the opposite in fact.
>>
>> As for you not noticing something, that's not my problem. If you'd been
>> paying attention, you'd have noticed.
And typical then of Erik to try and spin MS' move as somehow "good"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEq1Omd90bcYOAWPYRAv64AJ9pLUKhk6gwgSmYewinn+wE7JRppACeLUM4
AIycNOubnPSDBoeljipkYlM=
=8TJu
-----END PGP SIGNATURE-----
--
Jim Richardson http://www.eskimo.com/~warlock
Beer makes you feel the way you ought to feel without beer.
-- Henry Lawson
|
|
