Re: Multiple Vendor Unusual MIME Encoding Content Filter Bypass



On Thu, 7 Dec 2006 22:00:31 +0300
3APA3A <3APA3A@xxxxxxxxxxxxxxxx> wrote:

Dear Tomasz Kojm,

TK> That's _extremely_ irresponsible to disclose bugs without giving the
TK> vendors any chance to fix them and prepare new software releases.

This is a rare case I can not agree with such statement.

Ability to bypass content filter is not a bug before this issues is
used in-the-wild, like ability to write undetectable virus is not a bug
in antivirus. It may be simply impossible to find all vendors and wait
for all fixes.

I pretty much agree here, however I was particularly talking about the DoS
in ClamAV and not the MIME issue which can be fixed with a one-line patch.

--
oo ..... Tomasz Kojm <tkojm@xxxxxxxxxx>
(\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg
\..........._ 0DCA5A08407D5288279DB43454822DC8985A444B
//\ /\ Thu Dec 7 20:26:03 CET 2006



Relevant Pages

  • Re: [Full-disclosure] How secure is software X?
    ... test suite with some new fuzzing, and I find a sexy bug, don't the ... PoC code and vulnerabilities has a bigger chance at ... The product vendors play a role, but I see it as the task of the people ... creating the standards to avoid it being a vendor platform only. ...
    (Full-Disclosure)
  • Re: [Full-disclosure] How secure is software X?
    ... test suite with some new fuzzing, and I find a sexy bug, don't the ... PoC code and vulnerabilities has a bigger chance at ... The product vendors play a role, but I see it as the task of the people ... creating the standards to avoid it being a vendor platform only. ...
    (Full-Disclosure)
  • Re: Funny article
    ... relate some data (date the advisory is release and date the bug was ... Many security bugs can be fixed by appropiate ... Many vendors do this. ...
    (Bugtraq)
  • Re: endianness and failure with inline
    ... bug, if it is, it's a bug in the standard. ... function which works in all sorts of cases, and then a local inline version ... According to several compiler vendors, ... the inline function to have the same name as the external symbol, ...
    (comp.lang.c)
  • RE: Rant: .NET Component Vendors
    ... You're developing a WinForms app for a client that includes ... So you purchase a .NET charting component, design the app, ... > yes in fact there is a well-known bug in the charting component. ... > vendors that provide charting, grid, docking windows, and FTP functionality. ...
    (microsoft.public.dotnet.languages.csharp)