On Mon, 1 Dec 2003, Thor Larholm wrote: > How, you might ask? Simple, I have locked down the My Computer security > zone on my installations [1]. Considering the complexity of such a change (isn't it funny you say "Simple" here and go on to explain how tricky the change is?), and the fact it clearly goes right against MS's own intentions, it might be easier, simpler and more reliable to send MSIE to where it belongs (to the digital hell, IMHO...yes, I am biased) and use another browser. > As a final comment, I do believe that vulnerability researchers should > notify vendors of potential vulnerabilities and give them some time to > fix these before exposing the public to the dangers of those > vulnerabilities. Posting demonstratory proof-of-concept code has served > to apply pressure in the past towards unresponsive vendors, but not > giving the vendors any chance to respond at all in the first place is > simply irresponsible and jeopardizes the security of the Internet as a > whole. What about vendors who fix implementation errors but refuse to fix fatal design errors? In the MSIE's case, the fatal design error is a poor separation of zones (anyone who knows a little bit about mandatory access control and information labelling should be able to prevent any future vulnerabilities of this kind rather easily) or, from a more extremist point of view, the mere existence of the "My Computer Zone"--why the hell should a piece of code running on the top of a *web* browser ever be allowed to mess with my computer? --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
