Full Disclosure mailing list archives
Re: Two MSIE 6.0/7.0 NULL pointer crashes
From: Pavel Kankovsky <peak () argo troja mff cuni cz>
Date: Sun, 24 Jan 2010 01:05:06 +0100 (CET)
On Thu, 21 Jan 2010, Dan Kaminsky wrote:
But imagine an oldschool application drenched in strcpy, where you've lost context of the length of that buffer five functions ago.
When you discover you are riding a dead horse, the best strategy is to dismount. When you discover the program is designed too badly to be maintained, the best strategy is to rewrite it.
Or imagine the modern browser bug, where you're going up against an attacker who *by design* has a Turing complete capability to manipulate your object tree, complete with control over time.
Such an attacker must be assumed to possess hyperturing computing power because an exploit can communicate with an oracle. But I do not think this case is much different from the previous one: most, if not all, of those bugs are elementary integrity violations (not prevented because the boundary between trusted and untrusted data is not clear enough) and race conditions (multithreading with locks is an idea on the same level as strcpy).
Or, worst of all, take a design flaw like Marsh Ray's TLS renegotiation bug.
One needs to pay utmost attention to the design and its correctness. This has been known for decades, hasn't it? (An interesting finding regarding the renegotiation issue: People analyzing the protocol in the past had spent a lot of energy on its individual parts, esp. the handshake, and very little work had been done on the protocol as a whole.)
c) The system needs to work entirely the same after.
Not entirely. You want to get rid of the vulnerability. -- Pavel Kankovsky aka Peak / Jeremiah 9:21 \ "For death is come up into our MS Windows(tm)..." \ 21st century edition / _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Two MSIE 6.0/7.0 NULL pointer crashes, (continued)
- Re: Two MSIE 6.0/7.0 NULL pointer crashes Christian Sciberras (Jan 23)
- Re: Two MSIE 6.0/7.0 NULL pointer crashes dramacrat (Jan 20)
- Re: Two MSIE 6.0/7.0 NULL pointer crashes Jeffrey Walton (Jan 20)
- Re: Two MSIE 6.0/7.0 NULL pointer crashes mrx (Jan 20)
- Re: Two MSIE 6.0/7.0 NULL pointer crashes Dan Kaminsky (Jan 20)
- Re: Two MSIE 6.0/7.0 NULL pointer crashes Michal Zalewski (Jan 20)
- Re: Two MSIE 6.0/7.0 NULL pointer crashes mrx (Jan 21)
- Re: Two MSIE 6.0/7.0 NULL pointer crashes Dan Kaminsky (Jan 21)
- Re: Two MSIE 6.0/7.0 NULL pointer crashes Christian Sciberras (Jan 21)
- Re: Two MSIE 6.0/7.0 NULL pointer crashes Jeffrey Walton (Jan 21)
- Re: Two MSIE 6.0/7.0 NULL pointer crashes Pavel Kankovsky (Jan 23)
- Re: Two MSIE 6.0/7.0 NULL pointer crashes Dan Kaminsky (Jan 23)
- Re: Two MSIE 6.0/7.0 NULL pointer crashes Dan Kaminsky (Jan 20)