[14299] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: Reliance on Microsoft called risk to U.S. security

daemon@ATHENA.MIT.EDU (Bill Frantz)
Fri Sep 26 23:10:09 2003

X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <Pine.GSO.4.58.200309260936590.9026@sasas1.ms.com>
Date: Fri, 26 Sep 2003 17:04:05 -0700
To: Victor.Duchovni@morganstanley.com, Ian Grigg <iang@systemics.com>
From: Bill Frantz <frantz@pwpconsult.com>
Cc: cryptography@metzdowd.com

At 6:47 AM -0700 9/26/03, Victor.Duchovni@morganstanley.com wrote:
>While part of the security problems in Windows are Microsoft specific, in
>my view a large part is inherited from earlier graphiscal desktop designs,
>and is almost universal in this space. Specifically, when a user clicks
>(or double-clicks) on an icon there is not a clear distinction between
>"Run" and "View". Instead we have the polymorphic "Open".
>
>If files always opened in a safe viewer, (e.g. clicking on a .pl file
>fired up an editor, not the ActiveState Perl interpreter) a good part of
>the security problem with Graphical desktops, Microsoft's, Apple's,
>RedHat's, ... would be solved. The bizarre advice we give users to not
>open message attachments would be largely unnecessary (one also needs to
>close the the macro invocation problem, but this is not insurmountable).
>
>It is my contention that so long as activating an icon does not
>distinguish between "Run" and "View" all Graphical Shells will be
>insecure.

The real problem is that the viewer software, whether it is an editor, PDF
viewer, or a computer language interpreter, runs with ALL the user's
privileges.  If we ran these programs with a minimum of privilege, most of
the problems would "just go away".

See:
http://www.combex.com/tech/edesk.html
http://www.combex.com/papers/darpa-review/index.html
http://www.combex.com/papers/darpa-report/index.html

Cheers - Bill


-------------------------------------------------------------------------
Bill Frantz        | "There's nothing so clear as   | Periwinkle
(408)356-8506      | vague idea you haven't written | 16345 Englewood Ave
www.pwpconsult.com | down yet." -- Dean Tribble     | Los Gatos, CA 95032


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post