Security Holes That Run Deep

Security Holes That Run Deep
Mark Burnett, 2004-12-20

How a seemingly simply Microsoft bug betrayed its author's disdain for a wide range of secure coding principles.

Expand all | Post comment

Security Holes That Run Deep 2004-12-20
Anonymous (2 replies)

Security Holes That Run Deep 2004-12-22
michaels (1 replies)

Security Holes That Run Deep 2004-12-23
Anonymous

Security Holes That Run Deep 2004-12-26
Anonymous

Nothing new from MS here... 2004-12-21
Anonymous

Security Holes That Run Deep 2004-12-21
bazzargh

Failing Open vs. Closed 2004-12-22
Andy S.

Some systems are configured out of the box to allow acess to all configured resources unless a rule is put in place to block access. I can't think a webserver that doesn't enforce this as its basic policy. All all by default unless told otherwise.

Other systems default closed. Some firewalls, especially the simple home-user ones come with a default configuration that denies-all.

I'm not sure that failing open is really whats happening here. A webserver is designed to serve up traffic. It is designed to allow access to the contents of the webserver unless told otherwise.

While we can argue whether vendors should alow their base authorization rule engine default-deny or default-allow, it isn't clear to me in this case that this is really a standard case of failing open.

Its a bug in the authorization handler, but not a bug in the security logic.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/285/29646#29646

Security Holes That Run Deep 2004-12-23
Anonymous

Security Holes That Run Deep 2004-12-29
Anonymous-Philippines (1 replies)

Re: Security Holes That Run Deep 2009-06-10
Anonymous - US