Re: Microsoft Office Excel 2010 memory corruption

[Jeffrey Walton <noloader () gmail com>]

On Mon, Oct 29, 2012 at 5:54 PM, Peter Ferrie <peter.ferrie () gmail com> wrote:
> > > No, it costs a lot of time and money to fix even one issue.
> > > We don't want to waste it on something that isn't exploitable.
> > There are at least four problems with this argument. First, the
> > argument basically says "defective software is OK."
>
> You've interpreted "don't want to waste it" as "won't fix it",
> extended it to suggest that it's an acceptable response, and then
> proceeded to attack that conclusion.
> Do you call the fire brigade if you see the smoke from a candle?
> No, but you might get someone in eventually to clean the soot from the ceiling.
Secure is an immigrant property of the system
(http://www.mail-archive.com/sc-l () securecoding org/msg03639.html). How
can the program be secure if its not even stable?

Worst, its CompSci 101 mistakes - lack of parameter validation and
failure to check return values - and not some clever attack. To add
insult to injury, compiler warning, static analysis and dynamic
analysis will often report the issues but they are not used or
ignored.

Jeff

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/