> Yes, it was bad design, but nevertheless a design. This is > how they meant for things to be. They though it was a good > idea... > > This is why it's not a security patch that forces this upon > everyone (as a recent security fix that rebooted half of the > computer around the world). > It was bad design, and it was fixed with an optional script > that you can run if it really bothers you.
The recent security fix that you mention was also caused by a bad, but intentional, design. The Windows Metafile format specified the ability to execute code in specific cases. That functionality, by design, was included within the libraries responsible for processing WMF files, back in the Windows 3.x days. The vulnerability simply took advantage of the looseness of this design. One could argue that the design was not so bad when it was created, since Windows 3.x was not intended to be used on large, untrusted networks. But outside that narrow context, it was certainly a bad design. I disagree with your implication that the existence of a patch is the only indicator that a security problem exists. > It's similar to telling your router/firewall not to respond > to ping requests. Some people don't want to let the world > know that there is a computer at that ip. Some people would > rather be able to ping themselves from the outside, or don't > care. It's not a major security issue. No one said it was a major security issue. It is still a security issue, just the same. Information disclosure often precedes more serious attacks. An attacker might use all sorts of information sources - DNS queries, port scans, EDGAR lookups, WHOIS lookups, and so on - to figure out plans of attack. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229287 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
