SP2 Flaw Report falls short?

New developments on the big indings for Heise institute …

Larry Seltzer believes that the ‘flaw’ in SP2 discovered by Heise is unjustified in being called out as an SP2 hole.


He’s 100% right too. The attack requires that a user MANUALLY fire up a command prompt and run a file that IE considers untrusted in order to execute it.


This is more social engineering possibility than Microsoft OS bug and is something we discussed at the geek dinner in Bellevue a few weeks ago.


If you make a ‘box’ 100% secure, people will look at ways to ‘hack the human’. They already do stuff along these lines when you do a full pen test (and they got the idea from hackers) – stuff like dumpster diving (where you scour a company’s trash to find out any sensitive information that has been discarded) or helpdesk spoofing (calling a company helpdesk pretending to be Joe User to see if they’ll reset your password for you).


Sleep well and don’t have nightmares 😉


[Via Adam’s Mindspace]