|
|
Posted by TC on 09/13/06 08:55
Andy Dingley wrote:
> TC wrote:
>
> > You'll see that *IE itself* has added the MOTW.
>
> Agreed.
>
> Now what's to stop the 3v1l h4xx0r adding that mark themselves, before writing the page ?
Nothing. But you still need to focus on who is creating the file & how
they are creating it.
o If the file is being created through the normal operation of IE,
then, including the MOTW does not /elevate/ the page's priviliges (ie.
it does not make them /higher/ than they were before). It stops IE
/degrading/ the pages priviliges (ie. making them /lower/ than they
were before). So the hacker is wecome to add the MOTW to their pages as
much as he likes. This does not gain him anything that he did not have
before. Indeed, as I have shown, IE will actually add the mark for him!
o If the file is being created by someone who has somehow obtained
unauthorized access to the local filesystem, then, all bets are off,
and the MOTW is irrelevant.
> This is annotation that says "Trust this page, it's OK really", but it's also trivial to forge it.
No - that's not what it says. The MOTW says, "Dear IE, please run this
page under the security restrictions applicable to the Zone (Internet,
Trusted, or Restricted) that is applicable to the URL in the MOTW."
The only way that this would be a problem, is if a page from a website
in the Internet Zone, could include an MOTW that asked for that page to
be run in the Trusted Zone - thus illegally elevating the priviliges of
that page.
I haven't tested that case myself, but, I'm absolutely confident that
MS know what they are doing with this, and therefore, that it would
*not* serve to elevate the untrusted page's security zone. But I will
test this in due course.
In summary, you shouldn't assume that the MS folks who desiged this
feature, are total idiots, and have overlooked something as simple as
the hacker adding his own MOTW. They've made various security bloopers
over the years - but they aren't total idiots. You can't seriously
believe that there are folks in MS thinking: "D'oh!! We forgot that the
hacker could add an MOTW himself!!"
TC (MVP MSAccess)
http://tc2.atspace.com
Navigation:
[Reply to this message]
|