[cap-talk] Drop My Rights - a stab at caps by Microsoft?
David Hopwood
david.nospam.hopwood at blueyonder.co.uk
Mon Oct 17 17:06:06 EDT 2005
Ian G wrote:
> http://online.securityfocus.com/infocus/1848
>
> Meanwhile a simple yet little-known approach exists for users to avoid
> many of these vulnerabilities in any web browser. It is a novel tool
> called "Drop My Rights," created by Microsoft's Michael Howard. While
> it was released last year and is very simple to use, it has not gained
> popularity despite all the vulnerabilities found in IE, Firefox, and
> various email applications. Therefore it's important to understand why
> such a tool is needed before looking at the tool itself. We'll test it
> in a virtual machine environment against various websites known to
> install spyware or viruses and look at the results.
Like any approach using "Run As"/CreateProcessWithLogon, this will not
protect against any attack that specifically attempts to escape a
Run As-based sandbox.
> Least privilege
> It is important that administrators follow the rule of least privilege.
> ...
This is easy to say, but it's much more difficult to provide an environment
that actually allows it to be achieved. "Drop My Rights" doesn't, and the
approach that it uses is essentially a dead end.
--
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>
More information about the cap-talk
mailing list