Reliance on Microsoft called risk to U.S. security

[Bill Frantz]

At 6:47 AM -0700 9/26/03, Victor.Duchovni at morganstanley.com wrote:
>While part of the security problems in Windows are Microsoft specific, in
>my view a large part is inherited from earlier graphiscal desktop designs,
>and is almost universal in this space. Specifically, when a user clicks
>(or double-clicks) on an icon there is not a clear distinction between
>"Run" and "View". Instead we have the polymorphic "Open".
>
>If files always opened in a safe viewer, (e.g. clicking on a .pl file
>fired up an editor, not the ActiveState Perl interpreter) a good part of
>the security problem with Graphical desktops, Microsoft's, Apple's,
>RedHat's, ... would be solved. The bizarre advice we give users to not
>open message attachments would be largely unnecessary (one also needs to
>close the the macro invocation problem, but this is not insurmountable).
>
>It is my contention that so long as activating an icon does not
>distinguish between "Run" and "View" all Graphical Shells will be
>insecure.

The real problem is that the viewer software, whether it is an editor, PDF
viewer, or a computer language interpreter, runs with ALL the user's
privileges.  If we ran these programs with a minimum of privilege, most of
the problems would "just go away".

See:
http://www.combex.com/tech/edesk.html
http://www.combex.com/papers/darpa-review/index.html
http://www.combex.com/papers/darpa-report/index.html

Cheers - Bill


-------------------------------------------------------------------------
Bill Frantz        | "There's nothing so clear as   | Periwinkle
(408)356-8506      | vague idea you haven't written | 16345 Englewood Ave
www.pwpconsult.com | down yet." -- Dean Tribble     | Los Gatos, CA 95032


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com