Firewall Wizards mailing list archives
Re: Buffer Overruns
From: Vin McLellan <vin () shore net>
Date: Sat, 18 Dec 1999 17:45:13 -0500
It there something in the emergence of a popular Internet, or some
other timely aspect in the industry's evolution, that has brought to light
the vulnerabilities associated with buffer overruns in recent years?
Maybe some shift in program design or programming engineering
practice? What left so many of these vulnerabilities unexposed and their
risks unappreciated for so many years?
Sometimes even in <ahem> widely distributed source code.
_Vin
At 05:28 PM 12/17/99 -0500, Steven M. Bellovin wrote:
In message <385A1B90.E2213122 () home com>, Michael Kelly writes:I really feel silly asking this, but; Can these buffer overrun bugs penetrate firewalls? I'm trying to convince the boss to ditch IE in favor of Netscape. (which is only slightly better)Yes, some buffer overruns can penetrate firewalls. Fundamentally, firewalls cannot protect you against attacks at a higher level of the protocol stack than the firewall operates at. If you allow http and html through your firewall, and there's a bug in the program at your end that processes the http and html -- yes, you're vulnerable. This isn't a new issue; see, for example, CERT Advisory CA-98.10, CA-97.05, and many others. --Steve Bellovin
Current thread:
- Re: Buffer Overruns, (continued)
- Re: Buffer Overruns Joseph S D Yao (Dec 18)
- Re: Buffer Overruns Marcus J. Ranum (Dec 18)
- Re: Buffer Overruns Crispin Cowan (Dec 18)
- Re: Buffer Overruns Michael Kelly (Dec 20)
- Re: Buffer Overruns Matt Curtin (Dec 18)
- Re: Buffer Overruns Frederick M Avolio (Dec 20)
- RE: Buffer Overruns Michael D. Hunter-Linville (Dec 21)
- Re: Buffer Overruns Saravana Ram (Dec 24)
- Re: Buffer Overruns Frederick M Avolio (Dec 20)
- Re: Buffer Overruns Ryan Russell (Dec 18)
- Re: Buffer Overruns Steven M. Bellovin (Dec 18)
- Re: Buffer Overruns Vin McLellan (Dec 20)
- Re: Buffer Overruns Joseph S D Yao (Dec 21)
- OT - Rant on State of S/w Engr (was Re: Buffer Overruns) Lim Wei Siong Vincent (Dec 22)
- Re: OT - Rant on State of S/w Engr (was Re: Buffer Overruns) Joseph S D Yao (Dec 23)
- Re: Buffer Overruns Joseph S D Yao (Dec 21)
- Re: Buffer Overruns Crispin Cowan (Dec 21)
- Re: Buffer Overruns Michael Kelly (Dec 22)