Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: IE5 allows executing programs
From: kragen () POBOX COM (Kragen Sitaker)
Date: Sun, 5 Sep 1999 15:55:52 -0400


David LeBlanc writes:
YOU CAN GET THE USER TO EXECUTE ARBITRARY CODE.  Period.  End of story.
What you do with that code is up to you.  There is no need to delve into
the details of just how you steal the lunch money from the end users.

Well, it should be noted that there are things you can do with that
code that are a lot worse than deleting all of somebody's files.
Password theft, credit-card theft, wholesale identity theft,
distributed computation (need to crack a DES message in a day?),
embezzling money if they use CheckFree, blackmail, and corporate
espionage come to mind.

This sort of thing will happen, sooner or later, on a wide scale --
unless we can do something about it soon.

The other
thing is that the default install for NT (especially on HP's) is FAT,

Wrong.  That could be how that manufacturer sets up _some_ of their
machines, but it isn't default for NT install.

Micron and Intergraph also install NT on FAT when they ship it to you.
Micron hassles you if you switch to NTFS and then call them for
support; they wanted my co-worker to reinstall NT on FAT and then call
them back if he was still having trouble.  The NT install program gives
you the option of FAT or NTFS; I don't remember which it picks by default.

If I recall correctly (I've only installed NT five or six times), if
you later convert to NTFS (without reinstalling), you carry over the
FAT permissions: "Full Control" for "All Users" on everything.

Most people who don't know what NTFS is are still using it if they are
running NT.

Are there manufacturers that ship NT with NTFS by default?

--
<kragen () pobox com>       Kragen Sitaker     <http://www.pobox.com/~kragen/>
Tue Aug 24 1999
76 days until the Internet stock bubble bursts on Monday, 1999-11-08.
<URL:http://www.pobox.com/~kragen/bubble.html>



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]