Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

FFSpy Buster : Duarte Silva announces that the security of most software allowing plugins such as vim, emacs, gnome, eclipse, etc. is flawed
From: David Blanc <davidblanc1975 () gmail com>
Date: Fri, 29 May 2009 20:59:12 +0530

Duarte Silva, the creator of the so-called FFSpy PoC seems to be
suggesting that the plugin mechanism of most software which allows a
user to run a plugin in the context of the user running the software
is flawed.

First of all, here is the lame PoC for those who want to read it:
http://myf00.net/?p=18 You can see a few comments where people are
trying to ask how exactly the attack is carried out. However, Duarte
has been giving lame responses such as: "True. But is also interesting
to see that there isn’t nothing to ensure the user the plug-in isn’t
changed."

In his wrap up blog at http://myf00.net/?p=97 he seems to suggest that
the existing plugin or add on mechanism of most software is flawed. Do
read his comments at the end of the blog.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • FFSpy Buster : Duarte Silva announces that the security of most software allowing plugins such as vim, emacs, gnome, eclipse, etc. is flawed David Blanc (May 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]