RE: [Full-Disclosure] EEYE: Microsoft ASN.1 Library Bit String Heap Corruption

From: Geo. (geoincidents_at_getinfo.org)
Date: 02/11/04

  • Next message: webheadport80_at_netscape.net: "RE: [Full-Disclosure] EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption" 
    To: <full-disclosure@lists.netsys.com>
Date: Wed, 11 Feb 2004 11:54:25 -0500

    >>Resolution of vulnerabilities is not the same thing as technical detail
    _disclosure_ of details about the vulnerability.<<

    Ok they are not the same but it is the _details_ that are important, we
    aren't taking about point and click PoC code, we are talking about details
    of the flaw. This is a library function, so how do you know what else it
    might affect or if other libraries on other OS may have the same (remember
    POD?) sort of issues?

    >>But full detail bulletins should lag the initial release of the patch by
    some number of weeks/months.<<

    But then nobody else who has a similar product or uses the same library but
    maybe not the specific function can tell if their product also requires an
    update, so you want to set them back by a number of weeks/months? You are
    assuming that a vulnerability affects only one vendor but by doing so you
    may be slowing down the release of patches for other products can also be
    affected.

    >>As far as Eeye having a stockpile of Microsoft vulnerabilities and I
    would assume lab code that can exersize them, doesn't bother me as much<<

    If you were in competition with Microsoft on some Windows product, would
    Microsoft constantly having multiple backdoors to any of your systems worry
    you?

    Geo.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: webheadport80_at_netscape.net: "RE: [Full-Disclosure] EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption"

    Relevant Pages
    • Quantcast