Linux and open source, in general.
The good, the bad, and the ugly.
Sunday 10 August 2008, 9:45 AM
VISTA dead in the water.
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1324395,00.html
"By taking advantage of the way that browsers, specifically Internet Explorer, handle active scripting and .NET objects, the pair have been able to load essentially whatever content they want into a location of their choice on a user's machine." This is not a new flaw, this is something that can only be fixed by a full re-construction of the OS. I wonder if this will cause a mass migration away from Microsoft products, because obviously they didn't consider this when building vista. IE has always been the most insecure browser on planet earth, and now with this new information it will need to be rebuilt from the ground up. So, anyone using vista, and IE, happily roaming around thinking they are safe, because they have been told this is the most secure version of windows ever had better be thinking where they go from here. Computer manufacturers forced to preload vista might be thinking it's time to start offering alternatives. Be interesting to see how Microsoft reacts to this news.
PreviousComments on this post
Interesting information. Thanks for posting the link.
I like the profile picture, by the way.
jw
I read the paper and didn't think this sounded correct. As far as I can tell the researchers have found two bugs which allow working around ASLR but you still need a working exploit to get any further.
I think the major fix for MS is to fix the .net loader in the OS so it throws away the native portion of the app and ignores the positional information. Problem MOSTLY solved. The other issue is that both Adobe & Sun need to fix Flash & Java so they don't effectively allow code to be loaded at a specific address.
This isn't a the sky is falling in problem. Ed Bott already interviewed the researcher here http://blogs.zdnet.com/Bott/?p=513 and links to several other articles that say the same thing.
The arstechnia article here goes in to more detail
http://arstechnica.com/news.ars/post/20080811-the-sky-isnt-falling-a-look-at-a-new-vista-security-bypass.html
To add a comment, fill out the form below
