From: marcs <marcs@skyhunter.com>
Replying To: Jonathan S. Shapiro <shap@eros-os.org>
Date: Tue, 3 Dec 2002 14:46:53 -0700
Subject: Re: [e-lang] capability myths demolished!

On Sunday 01 December 2002 08:47 am, Jonathan S. Shapiro wrote:
> On Thu, 2002-11-28 at 12:47, marcs wrote:
> > -- Microsoft IE has had a bug in it that allows outsiders to take full control
> > of the system if the user goes to the attacker's web page; this bug is 
> > present in both IE 5.5 and IE 6.0. An attacker that didn't bother to tell 
> > anyone about the exploit when he found it could have been using it for over a
> > year, subverting millions of computers, before anyone realized there was a 
> > bug, much less realize that Microsoft's certificate should be revoked (oh, 
> > yeah, visualize that happening :-). Once again, POLA confinement of the IE 
> > application would change this from a security nightmare of catastrophic 
> > proportions into a minor programming bug.
> 
> 
> Where is this documented?


Listing on BugTraq
http://online.securityfocus.com/archive/1/298748 

Article about defenses: 
http://www.jmu.edu/computing/security/info/iehot.shtml

Article in Wired, not about the exploit, but about how terrible it is that the 
exploit was posted in such detail that script kiddies could use it: 
http://www.wired.com/news/infostructure/0,1377,56463,00.html

--marcs
_______________________________________________
e-lang mailing list
e-lang@mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/e-lang