From: "Rich" 

This is a multi-part message in MIME format.

------=_NextPart_000_001E_01C2C494.5416CEE0
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

   I still think you are off base in a fundamental way.  Some actions =
are safe and some are not.  Things that are not should require explicit =
action or confirmation from the user.  Things that are safe should not.  =
There are plenty of examples.  I don't believe it necessary to give you =
any so I won't.  If something is supposed to be safe and it's not then =
the problem is with the component that isn't safe when it should be not =
the component that relied on it.  This is the same principal that = excuses
everything not being your fault when you do something that = should be safe
and isn't.  Otherwise, everything would be your fault = because everything
has its basis in you turning the computer on.

Rich
=20
  "Geo."  wrote in message =
news:3e3323b4$1{at}w3.nls.net...
  "Rich"  wrote in message news:3e330892{at}w3.nls.net...

  >   Your lack of a better description relects poorly on you.  Why do =
you
  persist in making yourself look bad?<

  I don't know, but that's the way I am so deal with it ok? 

  >   A user that prefers Netscape wouldn't be affected by the scenario =
you
  reported because the window opened by WMP is in the user's selected =
default
  browser and the source of the vulnerability was IE specific.<

  does it? Is that what the CSID thing is, picking the default browser =
or can
  that be modified to use IE regardless of what the default browser is?

  >   Whether you run IE as guest, normal user, or admin makes no =
difference.
  It's intended to be safe for all and if not due to an issue with IE =
than
  that is an IE issue and not the fault of you the user.  Now if IE =
prompts or
  warns you and you take explicit action to continue then the fault is =
yours.<

  Yes it's supposed to be safe, no it's never been classified as safe so =
I do
  believe it makes a difference if you run it as guest or admin. But =
that
  wasn't my point.

  My point was more that when a piece of code is exploited the exploit =
pretty
  much ends up with the access level that the exploited code was running =
at.
  This is one of the reasons MS changed the account that IIS5 uses =
(because
  the exploited code yeilds the access level). With media player =
exploit, it's
  media players access level which is why I view it as a media player =
exploit.

  You don't need to agree with that viewpoint, it's only my opinion but =
I do
  appreciate the discussion with you as it's allowed me to clarify (at =
least
  in my own mind) why I see it that way. A lot of what I understand =
about
  computers is self taught so the ideas exist in abstract thoughts for =
me and
  having to put them into words helps when I have to explain this stuff =
to
  others.

  I do understand what you are saying, you see it from a programmers =
point of
  view, so the piece of code belongs to a program and it's that piece of =
code
  that is exploitable so that points to the program being exploited =
regardless
  of what passed control and the exploit commands to that piece of code. =
It's
  a valid way to see it but not the only way.

  Geo.


------=_NextPart_000_001E_01C2C494.5416CEE0
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable








   I still
think you are off =
base=20
in a fundamental way.  Some actions are
safe and = some are=20
not.  Things that are not should require explicit action or =
confirmation=20
from the user.  Things that are safe should not.  There
are = plenty of=20
examples.  I don't believe it necessary to give you any so I =
won't. =20
If something is supposed to be safe and it's not then the problem
= is with=20
the component that isn't safe when it should be not =
the component that=20
relied on it.  This is the same principal that excuses
everything=20 not being your fault when you do something that
should be safe and=20 isn't.  Otherwise, everything would be your
fault because = everything has=20
its basis in you turning the computer on.
 
Rich
 

  "Geo." <georger{at}nls.net>">mailto:georger{at}nls.net">georger{at}nls.net>
wrote=20
  in message news:3e3323b4$1{at}w3.nls.net..."Rich"=20
  <{at}> wrote in message news:3e330892{at}w3.nls.net...=
>  =20
  Your lack of a better description relects poorly on you.  Why do=20
  youpersist in making yourself look
bad?<I don't know, =
but=20
  that's the way I am so deal with it ok? =
<g>>   A=20
  user that prefers Netscape wouldn't be affected by the scenario=20
  youreported because the window opened by WMP is in the user's =
selected=20
  defaultbrowser and the source of the vulnerability was IE=20
  specific.<does it? Is that what the CSID thing
is, picking =
the=20
  default browser or canthat be modified to use IE regardless of =
what the=20
  default browser is?>  
Whether you run IE as =
guest,=20
  normal user, or admin makes no difference.It's intended to be safe =
for all=20
  and if not due to an issue with IE thanthat is an IE issue and not =
the=20
  fault of you the user.  Now if IE prompts orwarns you and you =
take=20
  explicit action to continue then the fault is
yours.<Yes =
it's=20
  supposed to be safe, no it's never been classified as safe so I =
dobelieve=20
  it makes a difference if you run it as guest or admin. But =
thatwasn't my=20
  point.My point was more that when a piece of code is
exploited =
the=20
  exploit prettymuch ends up with the access level that the =
exploited code=20
  was running at.This is one of the reasons MS changed the account =
that IIS5=20
  uses (becausethe exploited code yeilds the access level). With =
media=20
  player exploit, it'smedia players access level which is why I view =
it as a=20
  media player exploit.You don't need to agree with that =
viewpoint, it's=20
  only my opinion but I doappreciate the discussion with you as it's =
allowed=20
  me to clarify (at leastin my own mind) why I see it that way. A =
lot of=20
  what I understand aboutcomputers is self taught so the ideas exist =
in=20
  abstract thoughts for me andhaving to put them into words helps =
when I=20
  have to explain this stuff toothers.I do
understand what =
you are=20
  saying, you see it from a programmers point ofview, so the piece =
of code=20
  belongs to a program and it's that piece of codethat is =
exploitable so=20
  that points to the program being exploited regardlessof what =
passed=20
  control and the exploit commands to that piece of code. It'sa =
valid way to=20
  see it but not the only =
way.Geo.

------=_NextPart_000_001E_01C2C494.5416CEE0--

--- BBBS/NT v4.01 Flag-4