At 6:47 AM -0700 9/26/03, [EMAIL PROTECTED] wrote: >While part of the security problems in Windows are Microsoft specific, in >my view a large part is inherited from earlier graphiscal desktop designs, >and is almost universal in this space. Specifically, when a user clicks >(or double-clicks) on an icon there is not a clear distinction between >"Run" and "View". Instead we have the polymorphic "Open". > >If files always opened in a safe viewer, (e.g. clicking on a .pl file >fired up an editor, not the ActiveState Perl interpreter) a good part of >the security problem with Graphical desktops, Microsoft's, Apple's, >RedHat's, ... would be solved. The bizarre advice we give users to not >open message attachments would be largely unnecessary (one also needs to >close the the macro invocation problem, but this is not insurmountable). > >It is my contention that so long as activating an icon does not >distinguish between "Run" and "View" all Graphical Shells will be >insecure.
The real problem is that the viewer software, whether it is an editor, PDF viewer, or a computer language interpreter, runs with ALL the user's privileges. If we ran these programs with a minimum of privilege, most of the problems would "just go away". See: http://www.combex.com/tech/edesk.html http://www.combex.com/papers/darpa-review/index.html http://www.combex.com/papers/darpa-report/index.html Cheers - Bill ------------------------------------------------------------------------- Bill Frantz | "There's nothing so clear as | Periwinkle (408)356-8506 | vague idea you haven't written | 16345 Englewood Ave www.pwpconsult.com | down yet." -- Dean Tribble | Los Gatos, CA 95032 --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]