[SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code

[ljknews]

At 1:57 PM +0100 4/6/06, Dinis Cruz wrote:

>> At least one aspect of that is a design defect in TCP/IP, allowing
>> unprivileged users to create a port to receive inbound connections.

> If an application is a File Compression utility, then there is no reason
>why it should have access to the TCP stack. And if they do need access to
>it (for example to check for updates), then those exceptions should be
>very well controlled and monitored.

The problem then, is how to prevent an unprivileged user from setting up
a File Compression utility to access TCP and establish a port to which
an incoming connection can be made without authentication.

This is back to the issue of which programs can be trusted -- and the
answer to that should be _not_ programs provided by an unprivileged user.
-- 
Larry Kilgallen