Abolade Gbadegesin and team - Networking in Windows Vista

In the video you show your evil activex control and what it does is issue the "format c:" command. Actually, this command will fail since the C drive is in use by the operating system and cannot be formated and since the format command needs confirmation before it formats a harddisk, although the latter might be bypassed I guess. However, you are the IE Security Team and I hope that you know this. After all, hacker do much worse things and I hope that you know much more than you are telling us on their methods and on all the harmful senarios that are out there. Because a simple format c: is nothing and you should know that. I hope that your internal testing examples are much more sofisticated than what you say publicly.
"Need to get a camcorder with a light"
[6]ROBERT
nektar wrote:In the video you show your evil activex control and what it does is issue the "format c:" command. Actually, this command will fail since the C drive is in use by the operating system and cannot be formated and since the format command needs confirmation before it formats a harddisk, although the latter might be bypassed I guess. However, you are the IE Security Team and I hope that you know this. After all, hacker do much worse things and I hope that you know much more than you are telling us on their methods and on all the harmful senarios that are out there. Because a simple format c: is nothing and you should know that. I hope that your internal testing examples are much more sofisticated than what you say publicly.
The pure evil movie, I have no idea, but
this thing might know...
I can thing of one of the ghost busters sequels or
Newman (from Seinfeld... he is pure evil)
pure evil:
Time Bandits? "Mum! Dad! Don't touch it! It's evil!"
The CDCer wrote:It's great that you guys are working hard on security issues, but it's equally important to fix IE bugs. The z-index bug is a well know CSS bug since IE 4 or 5 nearly a decade ago with no easy cross-platform workaround, and it looks that the IE 7 team are still not aware of the problem. Please read <a href='http://cdcer.com/?2005/09/brutal-solution-to-ie-z-index-bug.html'>A brutal solution to the IE z-index bug</a> for more details and try to fix it. the world can't afford to fight with the bug for another 10 years! Speaking about bugs, here is another one: While poking around MSN, I did a search for <a href='http://search.msn.com/results.aspx?q=MSN+sucks&srch_type=0&FORM=QBRE'>MSN sucks</a>, and found a grand total of 49 pages! Yes, you heard it right, it's 49 pages, not 49K. As you can imagine, there is no way that I could trust that number, so I immediately <a href='http://www.google.com/search?num=100&hl=en&lr=&safe=off&c2coff=1&q=MSN+sucks&btnG=Search'>checked with Google</a> and got over 2 million results, and the <a href='http://search.yahoo.com/search?p=MSN+sucks&prssweb=Search&ei=UTF-8&fr=ush-help&fl=0&x=wrt'>same search by Yahoo!</a> reports 3.7 million! But wait, it got much worse! Please read <a href='http://cdcer.com/?2005/09/bug-or-censorship-in-msn-search.html'>Bug or censorship in MSN search</a> for the whole story. These issues cost the industry countless hours of lost productivity (100s of millions hours per year by some estimation) and really make Microsoft look so incompetent and evil in the eyes of geeks.
KenQ wrote:I would like to know if the final version of IE7 will have the toolbars locked or not. As in not giving the end user any way to move around the address toolbar or the buttons where you want them.
BruceMorgan wrote:In Windows, the Explorer windows (aka shell windows), the navigation bar (back, forward, address / breadcrumb bar / search) is fixed at the top. IE will do the same, for consistency with the shell as well as anti-spoofing.
Great video. Learnt a lot of where you guys are going. I have to say that I expect to see many privilege escalation exploits next....better priv escalation exploits than remote exploits that run under admin privs automatically....
...in the video you were referring to sending in exploits and vulnerabilities, so you guys can verify the threat model of IE. Is the threat model of IE published somewhere? I think if it is would give the security research community a more direct way to probe it for weaknesses...
Thanks -
Christian
-----
The CDCer wrote:It's great that you guys are working hard on security issues, but it's equally important to fix IE bugs. The z-index bug is a well know CSS bug since IE 4 or 5 nearly a decade ago with no easy cross-platform workaround, and it looks that the IE 7 team are still not aware of the problem. Please read <a href='http://cdcer.com/?2005/09/brutal-solution-to-ie-z-index-bug.html'>A brutal solution to the IE z-index bug</a> for more details and try to fix it. the world can't afford to fight with the bug for another 10 years!
You guys always deliver useful content. Awesome post. Very interesting and valuable videos. Keep posting more articles. Thanks for sharing useful info.