Re: RE: Microsoft silently fixes security vulnerabilities

[Chris Anley <chris () ngssoftware com>]

> > <snipped 'input validation fixes some bugs related to the input'>

Nick DeBaggis wrote:
> But you've only fixed the 'related' bugs if your validation gate is the
> only entry point into that particular call tree.  If that code path can
> be hit from a different direction then those related bugs may still be
> viable.  The third-party aspect makes this especially interesting since
> your validation gate may only be masking the other related bugs in the
> third-party code, which may cause other users of that third-party code
> to wrongly assume it is secure as well.

Sure, but my point is, some bugs are fixed.

> > The problem is that neither I (the developer following best practice)
> > nor the vulnerability researcher, nor anyone writing NIPS/HIPS knows
> > what bugs were actually fixed by my input validation.
>
> Nor does anyone know what bugs or how many were only masked out by it.

All of which is entirely true. The only point I was trying to make was
that some silent fixes are inadvertent.

You're right though, and there's a really long thread we could get into
about how people should code, relating to the definition of a bug (does
strcpy have a bug?), input validation of parameters in every function
and security implications of code re-use, but I'm not sure I want to
inflict that on the good people of dailydave, especially on a Monday
morning, pre-caffeinated.

     -chris.