Mailinglist Archive: opensuse (3031 mails)
| < Previous | Next > |
Re: [opensuse] OpenSuse 11
- From: Randall R Schulz <rschulz@xxxxxxxxx>
- Date: Mon, 11 Feb 2008 16:14:39 -0800
- Message-id: <200802111614.39854.rschulz@xxxxxxxxx>
On Monday 11 February 2008 13:11, Wolfgang Woehl wrote:
This is true. It is an entirely different class of potential
vulnerabilities and exploits. Many of them are of the cross-site
scripting variety or injection exploits.
But these are all fundamentally different in their means of execution
and the locus of vulnerability. A browser that is 100% secure from
buffer-overflow exploits including those in any plug-ins or other
dynamically linked extensions and which has a perfect JavaScript
implementation including the browser sandbox model can still expose one
to these attacks.
It is also the case that many of these vulnerabilities are equally
present on Linux and Windows, since they originate in poorly crafted
Web applications (either on the server side or in client-side
JavaScript). There is virtually nothing an end user can do to protect
against such exploits other than refrain from using that class of
services (and that class includes all sorts of today's shiny new fun
stuff on the Web, from Amazon.com and eBay to FaceBook, MySpace and
Flickr and more).
If I read between your lines to say "we ain't seen the half of the
catastrophes Web 2.0 software will ultimately cause," I'm afraid you're
right.
Randall Schulz
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
... For example all of web2.0 is one huge
stress-test suite for a browser infrastructure. ...
This is true. It is an entirely different class of potential
vulnerabilities and exploits. Many of them are of the cross-site
scripting variety or injection exploits.
But these are all fundamentally different in their means of execution
and the locus of vulnerability. A browser that is 100% secure from
buffer-overflow exploits including those in any plug-ins or other
dynamically linked extensions and which has a perfect JavaScript
implementation including the browser sandbox model can still expose one
to these attacks.
It is also the case that many of these vulnerabilities are equally
present on Linux and Windows, since they originate in poorly crafted
Web applications (either on the server side or in client-side
JavaScript). There is virtually nothing an end user can do to protect
against such exploits other than refrain from using that class of
services (and that class includes all sorts of today's shiny new fun
stuff on the Web, from Amazon.com and eBay to FaceBook, MySpace and
Flickr and more).
If I read between your lines to say "we ain't seen the half of the
catastrophes Web 2.0 software will ultimately cause," I'm afraid you're
right.
...
Wolfgang
Randall Schulz
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
| < Previous | Next > |