funsec mailing list archives
Re: How come security companies don't know how to write secure code?
From: Gadi Evron <ge () linuxbox org>
Date: Thu, 26 Jul 2007 00:04:41 -0500 (CDT)
On Wed, 25 Jul 2007, Richard M. Smith wrote:
What am I missing here? Why does an intrusion detection software package open up a system to intrusions? Isn't it obvious that an ActiveX control shouldn't allow a Web page to load a random DLL and call functions in the DLL?
It's a product, built to marketing specifications and to ship as soon as possible. So what if it's a security product?
Richard http://secunia.com/advisories/26134/ Some vulnerabilities have been reported in CA eTrust Intrusion Detection, which can be exploited by malicious people to compromise a vulnerable system. The vulnerabilities are caused due to the CallCode (caller.dll) ActiveX control including certain insecure methods, which allow loading of arbitrary DLL files and calling the exported functions with controlled parameters. This can be exploited to e.g. execute arbitrary code when a user visits a malicious website. The vulnerabilities affect the following products: * eTrust Intrusion Detection 3.0 * eTrust Intrusion Detection 3.0 SP1 _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- How come security companies don't know how to write secure code? Richard M. Smith (Jul 25)
- Re: How come security companies don't know how to write secure code? Gadi Evron (Jul 25)