Full Disclosure mailing list archives
Re: Month of ActiveX Bug
From: Valdis.Kletnieks () vt edu
Date: Tue, 01 May 2007 12:45:24 -0400
On Tue, 01 May 2007 12:24:47 EDT, Larry Seltzer said:
Consider that most often a bug filed as DOS can actually beexploitable, but the person who discovered it can't get the POC working or is even aware it is. While command execution is the ideal goal it doesn't mean other types of issues are *completely* worthless. Most often? How do you know that?
Given the number of programs I've filed "Version XYZ segfaults under conditions A, B, and C" bug reports, compared to the number of things that were obviously exploitable, I have to conclude that either I'm a lot worse than Joe Programmer at identifying what's exploitable, or that a lot of *other* programmers are filing "Version XYZ segfaults" bug reports without understanding if they're exploitable - and quite often the segfault gets *fixed* as "just a segfault" rather than as a security-level bug.
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Month of ActiveX Bug xxx xxx (May 01)
- Re: Month of ActiveX Bug Larry Seltzer (May 01)
- Re: Month of ActiveX Bug bugtraq (May 01)
- Re: Month of ActiveX Bug Larry Seltzer (May 01)
- Re: Month of ActiveX Bug Valdis . Kletnieks (May 01)
- Re: Month of ActiveX Bug Larry Seltzer (May 01)
- Re: Month of ActiveX Bug bugtraq (May 01)
- Re: Month of ActiveX Bug Steven Adair (May 01)
- Re: Month of ActiveX Bug James Matthews (May 01)
- Re: Month of ActiveX Bug Goetz Von Berlichingen (May 06)
- Re: Month of ActiveX Bug bugtraq (May 01)
- Re: Month of ActiveX Bug Larry Seltzer (May 01)
- Re: Month of ActiveX Bug Dude VanWinkle (May 03)
- Re: Month of ActiveX Bug Larry Seltzer (May 03)
- Re: Month of ActiveX Bug Dude VanWinkle (May 03)
- Re: Month of ActiveX Bug Larry Seltzer (May 03)