Security Holes That Run Deep

Security Holes That Run Deep
Mark Burnett, 2004-12-20

How a seemingly simply Microsoft bug betrayed its author's disdain for a wide range of secure coding principles.

Security Holes That Run Deep 2004-12-20
Anonymous (2 replies)

Security Holes That Run Deep 2004-12-22
michaels (1 replies)

Security Holes That Run Deep 2004-12-23
Anonymous

The design is faulty, or at least the design that states the process runs at such a high privelige level that this sort of thing is possible. There is no need for any application to have direct full access to the system.

When I thought I needed Apache on Unix to run as root, I have to jump through hoops. IIRC, I had to patch the source of the server to stop it refusing to run as root.

An application on a server should be able to access what it needs to access, and no more. This is easiest achieved by running it with restricted user permssions and let a known good authorisation scheme (ACLs on files and folders) allow or deny access, instead of trusting the application.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/285/29664#29664

Security Holes That Run Deep 2004-12-26
Anonymous

Nothing new from MS here... 2004-12-21
Anonymous

Security Holes That Run Deep 2004-12-21
bazzargh

Failing Open vs. Closed 2004-12-22
Andy S.

Security Holes That Run Deep 2004-12-23
Anonymous

Security Holes That Run Deep 2004-12-29
Anonymous-Philippines (1 replies)

Re: Security Holes That Run Deep 2009-06-10
Anonymous - US