Re: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code

[Dinis Cruz]

Comment inline, ljknews wrote: At 11:39 AM +0000 3/25/06, Dinis Cruz wrote: 3) Since my assets as a user exist in user land, isn't the risk profile of malicious unmanaged code (deployed via IE/Firefox) roughly the same if I am running as a 'low privileged' user or as administrator? (at the If the administrator's assets are compromised, all users of the system will have their assets compromised. Sure, but if the main assets exist within that user's space, then the risk is similar.  Look at your own computer, even if you use a non-admin account (like I am doing at the moment in my PowerBook G4), if a malicious attacker is after your assets (email, VPNs, documents, Credit Card details, access to your online banking accounts,  attack other computers on your local network, etc...) then he can do all that from user-land (there is no need for admin privileges) end of the day, in both cases the malicious code will still be able to: access my files, access all websites that I have stored credentials in my browser (cookies or username / passwords pairs), access my VPNs, Certainly users should not store credentials in software on a computer. Ok, but this is impossible today (at least in Windows). In a normal user session, you will have credentials (or equivalent) in multiple user-land processes. From login accounts used in your Browser to valid Kerberous tickets (or more to the point, valid windows security handles (i.e. tokens) which are as good as a stored credentials). The bottom line is, if your browser can do it, so can malicious code executed via your browser. attack other computers on the local network, install key loggers, If one is not the administrator, there should be no way to install software. If there is, the operating system is underprotected. Who said that? I might not be able to put it in under the 'Program files' folder, add files to the windows directory or write to some sections of the registry. But since you can run executables, you can perform all sorts of malicious actions. A good example are .Net applications which can be executed with no installation. establish two way communication with a Internet based boot net, etc ... At least one aspect of that is a design defect in TCP/IP, allowing unprivileged users to create a port to receive inbound connections. Other networking protocols avoid that flaw. This is not a design flaw with TCP/IP, the problem here is that the OS and the run-time-Sandbox (if there is one) are allowing this to occur. Remember that if I can talk HTTP with an external computer (located somewhere in the Internet), then I can use it to establish a two communication channel. Can you really defend that all applications that are executed in our computers (from winzip upwards) should be able to connect to the internal, download code and execute it with the privileges of the logged in user? Because that is what they can do today (if that computer is connected to the Internet :) Dinis Cruz Owasp .Net Project www.owasp.net

_______________________________________________
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php