Application Domain
in [CSharp]
|
From: Tony Johansson on 16 May 2010 12:08 Hi! Here is some text from a book that I'm reading. It says. "Restricting the permission of an application domain can greatly reduce the risk that an assembly you call will perform some malicious action. Consider the following scenario: You purchase an assembly from a third party and use the assembly to communicate with the database. An attacker discover a security vulnerability in the third-party assembly and uses it to configure a spyware application to start automatically. To the user, the security vulnerability is your fault, because your appliaction trusted the third-party assembly and ran it with privileges sufficient to install software." I can't understand how the author of the book mean when an attacker should be able to install some spyware into the computer ? //Tony
From: Arne Vajhøj on 16 May 2010 16:26 On 16-05-2010 12:08, Tony Johansson wrote: > Here is some text from a book that I'm reading. It says. > "Restricting the permission of an application domain can greatly reduce the > risk that an assembly you call will perform some malicious action. Consider > the following scenario: You purchase an assembly from a third party and use > the assembly to communicate with the database. An attacker discover a > security vulnerability in the third-party assembly and uses it to configure > a spyware application to start automatically. To the user, the security > vulnerability is your fault, because your appliaction trusted the > third-party assembly and ran it with privileges sufficient to install > software." > > I can't understand how the author of the book mean when an attacker should > be able to install some spyware into the computer ? Scrooge McDuck hires you to develop an app for him. Your EXE use use my SleezySoftware.DLL. When Scrooge McDuck run your EXE and it calls SleezySoftware.DLL which installs a trojan on the system. Scrooge McDuck will blaim you for the incident. Your EXE may have legitimate reasons to run with privs. Arne
|
Pages: 1 Prev: Simple Reflection example give Exception Next: Cast? Which is the correct way? |