Gary McGraw wrote: > To cycle this all back around to the original posting, lets talk about > the WMF flaw in particular. Do we believe that the best way for > Microsoft to find similar design problems is to do code review? Or > should they use a higher level approach? > > Were they correct in saying (officially) that flaws such as WMF are hard > to anticipate? > I have heard some very insightful security researchers from Microsoft pushing an abstract notion of "attack surface", which is the amount of code/data/API/whatever that is exposed to the attacker. To design for security, among other things, reduce your attack surface.
The WMF design defect seems to be that IE has too large of an attack surface. There are way too many ways for unauthenticated remote web servers to induce the client to run way too much code with parameters provided by the attacker. The implementation flaw is that the WMF API in particular is vulnerable to malicious content. None of which strikes me as surprising, but maybe that's just me :) Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Olympic Games: The Bi-Annual Festival of Corruption _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php