[11838] in bugtraq
Re: IE5 allows executing programs
daemon@ATHENA.MIT.EDU (SysAdmin)
Sat Sep 11 01:20:03 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <NDBBJHJLCKGHBILJGOJDEEGBCAAA.SysAdmin@sassproductions.com>
Date: Wed, 8 Sep 1999 20:27:58 -0400
Reply-To: SysAdmin <SysAdmin@SASSPRODUCTIONS.COM>
From: SysAdmin <SysAdmin@SASSPRODUCTIONS.COM>
X-To: Kragen Sitaker <kragen@POBOX.COM>, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.GSO.4.10.9909051544360.5314-100000@kirk.dnaco.net>
>Are there manufacturers that ship NT with NTFS by default?
I don't think there are, I don't mean to contradict David LeBlanc because he
happens to have a temper like a horse with a splinter in his balls but,
Hewlett Packard does not, Micron does not and the default for MY Windows NT
install disk IS FAT. Plus Aplhas, which I like, can't use NTFS either. A lot
of people leave it in FAT because of a system they intend to dual-boot with
windows 98 as well. I assume that most dealers ship a partition in FAT, if
nothing else than for the easy DOS access.
-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]On Behalf Of Kragen
Sitaker
Sent: Sunday, September 05, 1999 3:56 PM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: IE5 allows executing programs
David LeBlanc writes:
> YOU CAN GET THE USER TO EXECUTE ARBITRARY CODE. Period. End of story.
> What you do with that code is up to you. There is no need to delve into
> the details of just how you steal the lunch money from the end users.
Well, it should be noted that there are things you can do with that
code that are a lot worse than deleting all of somebody's files.
Password theft, credit-card theft, wholesale identity theft,
distributed computation (need to crack a DES message in a day?),
embezzling money if they use CheckFree, blackmail, and corporate
espionage come to mind.
This sort of thing will happen, sooner or later, on a wide scale --
unless we can do something about it soon.
> >The other
> >thing is that the default install for NT (especially on HP's) is FAT,
>
> Wrong. That could be how that manufacturer sets up _some_ of their
> machines, but it isn't default for NT install.
Micron and Intergraph also install NT on FAT when they ship it to you.
Micron hassles you if you switch to NTFS and then call them for
support; they wanted my co-worker to reinstall NT on FAT and then call
them back if he was still having trouble. The NT install program gives
you the option of FAT or NTFS; I don't remember which it picks by default.
If I recall correctly (I've only installed NT five or six times), if
you later convert to NTFS (without reinstalling), you carry over the
FAT permissions: "Full Control" for "All Users" on everything.
> Most people who don't know what NTFS is are still using it if they are
> running NT.
Are there manufacturers that ship NT with NTFS by default?
--
<kragen@pobox.com> Kragen Sitaker <http://www.pobox.com/~kragen/>
Tue Aug 24 1999
76 days until the Internet stock bubble bursts on Monday, 1999-11-08.
<URL:http://www.pobox.com/~kragen/bubble.html>
