Application Domain

[Tony Johansson]

Hi!

Here is some text from a book that I'm reading. It says.
"Restricting the permission of an application domain can greatly reduce the
risk that an assembly you call will perform some malicious action. Consider
the following scenario: You purchase an assembly from a third party and use
the assembly to communicate with the database. An attacker discover a
security vulnerability in the third-party assembly and uses it to configure
a spyware application to start automatically. To the user, the security
vulnerability is your fault, because your appliaction trusted the
third-party assembly and ran it with privileges sufficient to install
software."

I can't understand how the author of the book mean when an attacker should
be able to install some spyware into the computer ?

//Tony

 

[Arne Vajhøj]

Here is some text from a book that I'm reading. It says.
"Restricting the permission of an application domain can greatly reduce the
risk that an assembly you call will perform some malicious action. Consider
the following scenario: You purchase an assembly from a third party and use
the assembly to communicate with the database. An attacker discover a
security vulnerability in the third-party assembly and uses it to configure
a spyware application to start automatically. To the user, the security
vulnerability is your fault, because your appliaction trusted the
third-party assembly and ran it with privileges sufficient to install
software."

I can't understand how the author of the book mean when an attacker should
be able to install some spyware into the computer ?

Scrooge McDuck hires you to develop an app for him.

Your EXE use use my SleezySoftware.DLL.

When Scrooge McDuck run your EXE and it calls
SleezySoftware.DLL which installs a trojan on the
system.

Scrooge McDuck will blaim you for the incident.

Your EXE may have legitimate reasons to run with
privs.

Arne