At 11:39 AM +0000 3/25/06, Dinis Cruz wrote: > 3) Since my assets as a user exist in user land, isn't the risk profile > of malicious unmanaged code (deployed via IE/Firefox) roughly the same > if I am running as a 'low privileged' user or as administrator? (at the
If the administrator's assets are compromised, all users of the system will have their assets compromised. > end of the day, in both cases the malicious code will still be able to: > access my files, access all websites that I have stored credentials in > my browser (cookies or username / passwords pairs), access my VPNs, Certainly users should not store credentials in software on a computer. > attack other computers on the local network, install key loggers, If one is not the administrator, there should be no way to install software. If there is, the operating system is underprotected. > establish two way communication with a Internet based boot net, etc ... At least one aspect of that is a design defect in TCP/IP, allowing unprivileged users to create a port to receive inbound connections. Other networking protocols avoid that flaw. -- Larry Kilgallen _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php