| 07/20/2007 04:02:43 |
 Eugene Mayevski |
Recently we have come across a terrific vulnerability found out by some CooL HaCKeR (read the description here). One can put the PGPBBox.dll (one of the libraries of SecureBlackbox ActiveX edition) to an evil site and when the user is driven to this site, the vulnerability will let the page overwrite some file on user's disk. Wow!
The fact is that saving files to disk is a core functionality of SecureBlackbox. This is what some SecureBlackbox functions were designed for. As a data encryption suite SecureBlackbox should write the result of operations to the disk, even when it acts as a part of the web page. Consequently, there's no way to determine whether the web page is legitimate or one of a malicious attacker. Of course we can introduce the parameter "ImAHacker" in SaveToFile methods, but will this help?
The hammer or knife manufacturer can't be blamed for the majority of murders, commited by criminals. It's victim's responsibility to take care of his or her own life. Claiming that the knife is too sharp and the hammer is too heavy doesn't save one's life, does it?
|
|
