Re: mIRC Buffer Overflow

["Krish Ahya" <Krish () houston rr com>]

I understand this, but thats all the more reason to not release an exploit.
An advisory only would have better suited the situation, especially when the
vendor won't fix the problem.

No need to complain over spilled milk now though, whats done is done, and
now to only hope the vendor will release fixes.

teli
Network Operations, ChatNet IRC Network
Central Hub Administrator
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~
"When you sit with a nice girl for two hours, it seems like two minutes.
When you sit on a hot stove for two minutes, it seems like two hours, that's
relativity." -- Albert Einstein

----- Original Message -----
From: "Blue Boar" <BlueBoar () thievco com>
To: "Krish Ahya" <Krish () houston rr com>
Cc: <vuln-dev () securityfocus com>
Sent: Sunday, February 03, 2002 4:07 PM
Subject: Re: mIRC Buffer Overflow


> Krish Ahya wrote:
> > Why would you release an exploit for this hole if currently there are no
> > security patches for it? Do you know how many people run mIRC? Most of
which
> > know nothing about even how they got online! My prediction is that
several
> > machines are going to get compromised due to this.
>
> Did you read the page he referenced, where he indicates that he
> contacted the vendor in October, and they declined to make any changes?
> http://www.uuuppz.com/research/adv-001-mirc.htm
>
> BB