Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code

["Brian Eaton" <eaton.lists@xxxxxxxxx>]

On 3/27/06, Pavel Kankovsky <peak@xxxxxxxxxxxxxxxxxxxxxx> wrote:
> On Mon, 27 Mar 2006, Brian Eaton wrote:
>
> > I wasn't sure if Windows actually supported mandatory access controls,
> > so I poked around on Microsoft's web site a bit.  Yes, Windows
> > supports MAC.
>
> MS Windows does not support MAC. Its future version (i.e. Vista) might
> support some half-baked (*) pseudo-MAC.

Thanks for the info.  I'm not a windows expert by any mean, just going
by what I read on their web site. ;-)

> > In his original note, Dinis raised a good point: even a restricted
> > browser has access to all kinds of sensitive personal information,
> > such as passwords to web sites.  MAC would not prevent an exploit from
> > stealing that kind of data.
>
> Nonsense. MAC was invented by soldiers and spooks to protect
> confidentiality. (The use of MAC to protect integrity is, in fact, an
> afterthought.)
>
> Properly implemented and configured MAC can prevent the leakage of
> confidential (i.e. sensitive personal) information to (unauthorized) web
> sites.

You lost me here.  How would you design a MAC policy that lets firefox
remember my password for a web site, but doesn't let arbitrary code
running via a buffer overflow get at that same password?

Regards,
Brian

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/