Bugtraq mailing list archives
Re: White paper: Exploiting the Win32 API.
From: slack3r <slack3r () boy-genius net>
Date: Wed, 7 Aug 2002 11:13:29 -0500
Bugtraq, I've been following this posting on the exploitation of the Win32 API with interest. I think that Chris was correct in saying the following from his original posting: 5) This is not a bug. This is a new class of vulnerabilities, like a buffer overflow attack or a format string attack. As such, there is no specific vendor to inform, since it affects every software maker who writes products for the Windows platform. A co-ordinated release with every software vendor on the planet is impossible. I think the point has been made that there are ways to fix this problem, but the point is, this is a very real way of exploiting poorly written applications. It's no different than exploiting, as he said, a buffer overflow, or format strings, vulnerabilities of which abound throughout the Internet. Though there may be a way to prevent these vulnerabilities, the same could be said for, say, a buffer overflow, and yet they're found all over the place. I think Chris has a valid point in bringing this forward, and it's something that every Win32 programming should take into account, while trying to write secure applications. This is a topic that needed to be addressed. -Bryan P.S. I think it'd be interesting to see how many (if any) Microsoft programs are affected by this type of vulnerability, even though they "have known about these vulnerabilities for some time".
Current thread:
- Re: White paper: Exploiting the Win32 API., (continued)
- Re: White paper: Exploiting the Win32 API. Andrey Kolishak (Aug 10)
- Re: White paper: Exploiting the Win32 API. Paul Starzetz (Aug 27)
- RE: White paper: Exploiting the Win32 API. John Howie (Aug 06)
- Re: White paper: Exploiting the Win32 API. Chris Paget (Aug 06)
- Re: White paper: Exploiting the Win32 API. Florian Weimer (Aug 06)
- RE: White paper: Exploiting the Win32 API. Marc Maiffret (Aug 10)
- RE: White paper: Exploiting the Win32 API. John Howie (Aug 06)
- Re: White paper: Exploiting the Win32 API. Roland Kaufmann (Aug 07)
- Re: White paper: Exploiting the Win32 API. Adam Megacz (Aug 07)
- Re: White paper: Exploiting the Win32 API. Chris Calabrese (Aug 07)
- Re: White paper: Exploiting the Win32 API. slack3r (Aug 07)
- RE: White paper: Exploiting the Win32 API. Kenn Humborg (Aug 10)
- RE: White paper: Exploiting the Win32 API. John Howie (Aug 07)
- Re: White paper: Exploiting the Win32 API. Simos Xenitellis (Aug 09)
- RE: White paper: Exploiting the Win32 API. Rothe, Greg (G.A.) (Aug 28)
- RE: White paper: Exploiting the Win32 API. Drew (Aug 28)
- Re: White paper: Exploiting the Win32 API. Chris Paget (Aug 29)
- RE: White paper: Exploiting the Win32 API. Drew (Aug 28)
- Re: White paper: Exploiting the Win32 API. Andrey Kolishak (Aug 10)