Personally, I think Microsoft just needs to put a greater emphasis on security, something they haven't done in previous releases. Some of my all time favorite ms bugs include (all fixed now):
IIS: Ability to view source of ASP pages by going to http://site/page.asp. (trailing dot). You could also do http://site/page.asp::$DATA I believe.
IE: Ability to run arbitrary code by sending a cookie with Javascript as the contents. The JS would get evaluated in the local security settings -- my god, why anyone would want to have a browser that runs the javascript contained inside cookies is beyond me. This one is really nasty, as for a while, any site that sent you a cookie could wipe your hard drive.
IE: Ability to auto run downloadable programs due to IE not properly checking content type headers.
Outlook: auto running attached files - about 20+ variations on this.
Outlook: displaying html mail leads to running code automatically - about 20+ variation on this as well.
Most of these can be summed up with "don't trust user input". Maybe perl -T might help. =)
Cheers,
Alex
--
Gossamer Threads Inc.
IIS: Ability to view source of ASP pages by going to http://site/page.asp. (trailing dot). You could also do http://site/page.asp::$DATA I believe.
IE: Ability to run arbitrary code by sending a cookie with Javascript as the contents. The JS would get evaluated in the local security settings -- my god, why anyone would want to have a browser that runs the javascript contained inside cookies is beyond me. This one is really nasty, as for a while, any site that sent you a cookie could wipe your hard drive.
IE: Ability to auto run downloadable programs due to IE not properly checking content type headers.
Outlook: auto running attached files - about 20+ variations on this.
Outlook: displaying html mail leads to running code automatically - about 20+ variation on this as well.
Most of these can be summed up with "don't trust user input". Maybe perl -T might help. =)
Cheers,
Alex
--
Gossamer Threads Inc.
