[4350] in WWW Security List Archive
Re: ActiveX Bank-Quicken Exploit
daemon@ATHENA.MIT.EDU (Kenneth E. Rowe)
Tue Feb 11 12:54:38 1997
From: "Kenneth E. Rowe" <kerowe@ncsa.uiuc.edu>
Date: Tue, 11 Feb 1997 08:34:00 -0600
In-Reply-To: "Phillip M Hallam-Baker" <hallam@ai.mit.edu>
"Re: ActiveX Bank-Quicken Exploit" (Feb 11, 1:22)
Reply-To: "Kenneth E. Rowe" <kerowe@ncsa.uiuc.edu>
To: "Phillip M Hallam-Baker" <hallam@ai.mit.edu>,
"WWW Security List" <WWW-SECURITY@ns2.rutgers.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
-----BEGIN PGP SIGNED MESSAGE-----
On Feb 11, 1:22, Phillip M Hallam-Baker wrote:
> Subject: Re: ActiveX Bank-Quicken Exploit
[stuff deleted]
> The question is "what is untrusted". Most UNIX software was distributed as
> source code and compiled by the end user. Windows software tends to be
> binaries - even if you are prepared to give out source the users probably
> can't compile it. Account based protection is a good thing. If every system
> was C2 compliant - not hard then computer security would be much easier.
>
> NB: UNIX is not C2 secure merely "generally reckoned to be so" even the
> C2 kits tend not to offer genuine compliance. The standard makes explicit
> requirements for documentation that I've never seen a UNIX system attempt.
> Similarly I fail to see how a system could possibly ship sendmail and claim
> to be C2 compliant.
[stuff deleted]
>-- End of excerpt from Phillip M Hallam-Baker
But when talking about ActiveX exploits, a C2 system doesn't address the problem
anyway. ActiveX attacks are Trojan Horse attacks ... they are brought "in" by
the user and run with that users privileges. While a C2 system will protect
the Operating System, it won't protect a users (discretionary access)
space from being corrupted.
Ken.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMwCDUlZ9UpUUaI7dAQFGxwQAnYDLmnJRcXPW+eqnu7okoqvizsoMRM1c
esSPGAPrAM5xbxiYZ8GkL67a/5UaNwzUx4nh0AZBjo4NO1uS3+Yft8qUvhte9eYQ
xd1BJmY+qgBE4qMKEttY3FNv6ebL7HsWrsn9vz1sApJwPoNOO3yeS7+WjbRQlNvF
XQXqOjPulgw=
=3CIj
-----END PGP SIGNATURE-----
--
========================================================
Kenneth E. Rowe kerowe@ncsa.uiuc.edu
Senior Security Engineer / (217) 244 5270 (office)
Security Coordinator (217) 244 0710 (IRST)
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign
URL http://www.ncsa.uiuc.edu/people/kerowe
E-mail irst@ncsa.uiuc.edu for Computer Incident Response
========================================================
