[SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code

[ljknews]

At 11:39 AM +0000 3/25/06, Dinis Cruz wrote:

> 3) Since my assets as a user exist in user land, isn't the risk profile
> of malicious unmanaged code (deployed via IE/Firefox) roughly the same
> if I am running as a 'low privileged' user or as administrator? (at the

If the administrator's assets are compromised, all users of the system
will have their assets compromised.

> end of the day, in both cases the malicious code will still be able to:
> access my files, access all websites that I have stored credentials in
> my browser (cookies or username / passwords pairs), access my VPNs,

Certainly users should not store credentials in software on a computer.

> attack other computers on the local network, install key loggers,

If one is not the administrator, there should be no way to install
software.  If there is, the operating system is underprotected.

> establish two way communication with a Internet based boot net, etc ...

At least one aspect of that is a design defect in TCP/IP, allowing
unprivileged users to create a port to receive inbound connections.
Other networking protocols avoid that flaw.
-- 
Larry Kilgallen