[SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code

[ljknews]

At 1:51 PM +0100 4/6/06, Dinis Cruz wrote:

> ljknews wrote:
>
> At 11:39 AM +0000 3/25/06, Dinis Cruz wrote:
>
>
> 3) Since my assets as a user exist in user land, isn't the risk profile
> of malicious unmanaged code (deployed via IE/Firefox) roughly the same
> if I am running as a 'low privileged' user or as administrator? (at the
>
>
>
> If the administrator's assets are compromised, all users of the system
> will have their assets compromised.
>
>
> Sure, but if the main assets exist within that user's space, then the
>risk is similar. 

No, the only thing at risk is the assets of _that_ user, not the other
users.

> Certainly users should not store credentials in software on a computer.
>
>
> Ok, but this is impossible today (at least in Windows).

Windows ? Is that the operating system whose publisher just said
it is hopeless to clean up after a successful attack ?

> If one is not the administrator, there should be no way to install
> software.  If there is, the operating system is underprotected.
>
>
> Who said that?

William H. Murray of Deloitte and Touche.

>I might not be able to put it in under the 'Program files'
>folder, add files to the windows directory or write to some sections of
>the registry. But since you can run executables, you can perform all sorts
>of malicious actions.

His ideal model is a machine where the users have no ability to execute
a program they introduce to the machine.  There is a strict boundary
between programs and data.

But he is talking about real security, not Windows.
-- 
Larry Kilgallen