>
http://security.tombom.co.uk/shatter.htmlHi Al,
I gather from this article that the danger only exists once an attacker gains access to your machine. I.e. it does not present a new way of entering, but it indicates a greater threat once the malicious user or code has gotten in. The implication, however, is that certain types of usage present a much greater risk than previously disclosed, as in this quote:
Even worse is the case of Terminal Services (or Citrix). Imagine a company providing terminal service functionality to their clients, for whatever purpose. That company is NOT going to give their users any real privileges. Shatter attacks will allow those users to completely take over that server; localsystem privileges are higher than the Administrator, and on a shared server that's a problem. Oh, and it doesn't require console access either - I've successfully executed these attacks against a Terminal Server a hundred miles away.It would also seem that the precaution of avoiding connections to the Internet when logged in with Administrator privileges, i.e. using a login id with a lower privilege level, is less of a protection that I had previously thought. Aside from the Citrix/Terminal Server scenario, I'm not sure what other standard approach to building web-based applications would be wide open to this type of threat, but I'd be curious to understand that better.
Thank you very much for bringing this very interesting reference to our attention.
Mike
