Full Disclosure: Re: DLL hijacking with Autorun on a USB drive

[Christian Sciberras <uuf6429 () gmail com>]

> (and yes, "interpreted data" like shell scripts and Java .class files and Flash
> are the sort of neither-fish-nor-fowl that give security models headaches, so
> don't bother flaming about that. ;)
OK. Also add exploits in non-executable data as well (such as a certain gif...).


What was your point again?


Cheers.



On Wed, Sep 1, 2010 at 12:56 AM,  <Valdis.Kletnieks () vt edu> wrote:
> On Wed, 01 Sep 2010 08:34:47 +1000, paul.szabo () sydney edu au said:
> > Christian Sciberras <uuf6429 () gmail com> wrote:
> >
> > > Why do you say harmless? Because you know a text file can't do
> > > anything at all.
> > Exactly. The victim is attempting to view a plain text file. Surely
> > that can be done safely?
> Only if your OS's security model understands the fact that executable code
> and data belong in different security domains and thus different rules should
> apply about what files to "trust" in each category.
>
> (and yes, "interpreted data" like shell scripts and Java .class files and Flash
> are the sort of neither-fish-nor-fowl that give security models headaches, so
> don't bother flaming about that. ;)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/