Educause Security Discussion mailing list archives

Re: Cisco IOS Vulnerablity

From: John Ladwig <John.Ladwig () CSU MNSCU EDU>
Date: Thu, 3 Nov 2005 08:18:02 -0600

That was my take on it, too.  Seems like it shoulda been a press
release, *unless* there's some nasty unannounced heap overflow in the QA
pipeline.

They coulda been clearer, for sure.

    -jml

flynngn () JMU EDU 11/03/05 7:40 AM >>>

Arturo Servin wrote:

   Yes. It's going to be a big one.


Unless I missed something, Cisco altered an
architecture design so that it would be harder
to exploit a heap overflow related defect should
one be found (or a past one not patched).

I don't see where they announced a new defect
allowing an exploit to produce a heap overflow.

It appears comparable to adding stack protection
in Windows XP sp2 although that was for a
different type of overflow. Its a strengthening
measure more than a patching measure.

Am I misinterpreting the bulletin?


--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Current thread:

Cisco IOS Vulnerablity Scott Genung (Nov 02)
- <Possible follow-ups>
- Re: Cisco IOS Vulnerablity Arturo Servin (Nov 03)
- Re: Cisco IOS Vulnerablity Gary Flynn (Nov 03)
- Re: Cisco IOS Vulnerablity Gary Golomb (Nov 03)
- Re: Cisco IOS Vulnerablity John Ladwig (Nov 03)
- Re: Cisco IOS Vulnerablity Jeff Kell (Nov 03)
- Re: Cisco IOS Vulnerablity Chris Harrington (Nov 03)