|
Full Disclosure
mailing list archives
Re[2]: Another IE trick (Re: IE sucks : sun java virtual machine insecure tmp file creation)
From: 3APA3A <3APA3A () security nnov ru>
Date: Fri, 9 Jul 2004 20:41:58 +0400
Dear Eric Paynter,
Yes, it's possible and I always recommend to deny execution in user's
profile and home directory. But HTML file doesn't need execute
permission to open. Of cause, in this case then trojan gets executed
it's harder to infect system, but it's still possible to steal some
information.
--Friday, July 9, 2004, 8:26:23 PM, you wrote to full-disclosure () lists netsys com:
EP> On Fri, July 9, 2004 7:43 am, http-equiv () excite com said:
There are lots of little .tmp files generated and accessible
remotely to be had, Adobe *.pdf's and a vast array of Microsoft
Office 2003 crud to name just two. Many others which have been
identified and discussed in the past as well.
EP> I think:
EP> mount /dev/xxxx /tmp -o noexec
EP> would reduce the risk significantly. Can you do something equivalent in
EP> Windows?
EP> -Eric
EP> --
EP> arctic bears - affordable custom email and name services
EP> http://www.arcticbears.com
EP> _______________________________________________
EP> Full-Disclosure - We believe in it.
EP> Charter: http://lists.netsys.com/full-disclosure-charter.html
--
~/ZARAZA
Ñóùåñòâóþ ëèøü ÿ ñàì, íèêóäà íå ëåòÿ. (Ëåì)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
 By Date 
By Thread
Current thread:
|
Intro
