2002-08-07 17:12:26+00 by Dan Lyke 1 comments
Almost lost in the flurry of updates yesterday afternoon was a /. entry pointing to an exploit technique for privilege escalation under Windows. I need to go back through it when I have more time, but given the amount of time and energy being put into .NET security classes and privileges, the Microsoft response seems a little naive.
[ related topics: Humor Microsoft moron ]
comments in ascending chronological order (reverse):
#Comment made: 2002-08-07 21:26:40+00 by: meuon [edit history]
Andrew (drewcifer) was demonstrating using these techniques this morning at GeekLabs (the back room). Scary stuff, especially if you can get someone (machine or human) into executing a little code from remote. Something that does not seem hard in MS-User-Land. It also appears to be a problem at the very foundation of the Win32API and may be un-fixable.
As soon as a widespread explot exists (Can you say Outlook Worm?), then Microsoft will be forced to deal with it. But they supposedly mentioned this problem months ago when MS admitted their were flaws in MS-Land that 'threatened national security'.
My first implementation would be (if I wrote MS-code) a version that attacks computers running PC-Charge and ICVerify that fills in all boxes with someone elses credit card number.. Just for grins :)