On Fri, Aug 27, 2010 at 1:06 AM, <[email protected]> wrote: > Dan Kaminsky <[email protected]> wrote: > > >> Badly setup desktops: do not "hide extensions", maybe view details > >> (or list) not icons. > > > > All that matters is defaults, and icons are way more powerful ... > > Those defaults are wrong, change them. Anyway, icons are shown > with "view details". >
I think you mean application types are shown with "view details". The problem is, there's a couple dozen application types that are all code execution equivalent by design. Do you know all of them? Why should a user? > > > The web browser and the email client are not designed to launch > > arbitrary code. The desktop ... is. > > This attack may happen through the browser (UNC paths or somesuch). > Any talk about USB sticks or desktops is bogus. > > There's no path between IE and a UNC window that doesn't either security prompt or raise an unadorned Explorer window to a remote share. I could see an argument that the latter should prompt, given that it's a (by definition) code execution context. But that's about it.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
