On Fri, Aug 27, 2010 at 9:10 AM, <[email protected]> wrote: > On Fri, 27 Aug 2010 07:20:22 EDT, Larry Seltzer said: > > > Why wouldn't eliminating the CWD from the DLL search order fix the > problem? > > I asked Microsoft about this ( > > > http://blogs.pcmag.com/securitywatch/2010/08/list_of_dll_vulnerability_wind.php > ) > > and they said the obvious answer, that it would break too many customer > > installations. And I guess it would break a bunch of them, but there > really > > isn't a good reason for anyone to load a DLL from the CWD, is there? > > The mentality that "Our program only works with version 1.14 of the DLL so > we'll ship a copy of it in the directory" is too entrenched. That's why > you'll > see a box that has 4 or 5 different copies of the Java RTE on it. Of > course, > on a *sane* system you'd use a variable like LD_LIBRARY_PATH to say where > to > find the libraries (and maybe apply some W^X exclusion to path components). > But there's just too many 3rd party packages that would have to be updated > to > make it palatable. >
As opposed to other platforms that, what, don't have 3rd party packages? :) > > Remember - Microsoft doesn't have any real committment to deliver a truly > secure system to you. It has a committment to deliver just enough security > and other features so it can deliver dollars to its shareholders. We all > *know* > what it would take to secure it - and it won't happen because the resulting > paradidm shits will torpedo sales. > Oh, come on. MS puts more effort into delivering a secure platform than pretty much anyone at this point. They're just not the low hanging fruit they once were. The difference between attack and defense is that we know when attack doesn't work. Unrolling this one characteristic pretty much yields security as it stands today. It's why attack research is so important -- it's our only source of ground truth!
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
