-- Symantec Security Advisory
|An open letter to Symantec|
On all your alerts you write:
"All non-administrative tasks such as reading e-mail and browsing the web should be performed as an unprivileged user with minimal access rights. This will reduce the consequences of successful exploitation."
Given the difficulty of effectively locking down Windows, it's hard to create a real "non-administrative user"... there are so many places privilege escalation can occur that you pretty much have to treat all local users as privileged on the local box.
You have to stop the attack earlier than that, by avoiding the use of applications that have any mechanism to run arbitrary code with even local user rights. Since the MS HTML control inherently exposes applications that use it to a mix of trusted and untrusted data without any clean distinction between the two, a far more vital recommendation is to avoid exposing any code that uses it to untrusted data.
When are you going to start recommending that people use a browser other than Internet Explorer or mail software other than Outlook? There is other software that uses the MS HTML control, but these are the most common and most widely abused examples. There are many other fine web browsers that run under Windows, such as Mozilla (and its cousins) and Opera, and a great variety of free and commercial mail packages, and if people switched when they had the chance it would really cut down on the distribution of viruses.
|Lynx-enhanced by <peter at taronga.com> (Peter da Silva)|