On 03/26/2014 02:59 PM, valdis.kletni...@vt.edu wrote:
You *do* realize that the OS vendor can't really do much about users
who click on stuff they shouldn't, or reply to phishing emails, or
most of the other ways people *actually* get pwned these days? Hint:
Microsoft *tried* to fix this with UAC. The users rioted.
Yep, I do realize that and I do remember the UAC 'riots.' But the OS
vendor can make links that are clicked run in a sandbox and make said
sandbox robust. A user clicking on an e-mail link should not be able to
pwn the system. Period.
Most of the phishing e-mails I've sent don't have a valid reply-to,
from, or return-path; replying to them is effectively impossible, and
the linked/attached/inlined payload is the attack vector.
