quote:
Originally posted by ShawnZ
burningmace: who the hell says "your box is owned"?
Do you mean "who uses that phrase?" or "why does that mean your box is owned?"
To answer both:
Who uses that phrase? - I use that phrase, and so do a lot of people. In fact, Microsoft's own Steve Riley uses it liberally in his presentations at TechEd.
Why does that mean your box is owned? - You have to assume any machine that has had an exploit run on it is completely under the control of the attacker - it is completely and utterly compromised.
I would also like to state that I am not disputing the standard of security in Messenger Plus. I am simply being realistic. I write code every day and I'm 110% sure that somewhere along the line I've written something that can be exploited in some way. I accept that. Any software developer that doesn't accept the fact that somewhere along the line their software or the libraries that it relies on will contain an exploitable bug is, frankly, a moron. What I'm trying to say is despite the fact that at current their are no known vulnerabilities (with an exception - see note below) in Messenger Plus, there is no way to tell if there are unknown vulnerabilities and you need to cover yourself from and inform your users of such eventualities.
Note regarding vulns - The exception is the obvious, practically unavoidable DNS/ARP spoofing man-in-the-middle attacks on the update socket, that (as far as I am aware in the case of Messenger Plus) has never been performed.
