Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Vulnerability Disclosure

From: matt.steer () marstons co uk
Date: 5 Jun 2007 03:52:13 -0000
Hi Guys,

I have been playing around with a program and have discovered a bug that I have successfully leveraged into code 
execution. I reported my findings to the vendor, not yet receiving a reply; this is the first time I have done this. 

The bug is in an installer and malicious input is crafted then pasted into an input field which is copied into a buffer 
of insufficient size. The conditions of the exploit seem a little extreme to me, but it still results in code 
execution. 

The fact that it is in an installer, hence most likely requiring Admin rights, and is a local exploit the risk of this 
vulnerability being exploited seems low (too me, not being a risk assessor!) . 

This brings me to my question; 

Should all vulnerabilities be disclosed to a vendor (at least!) however high or low risk?

I’ve never been a believer in ‘Security through Obscurity’, but do the people think there comes a point when it may 
just be a waste of time?

To be honest; I hope not!

Matthew Steer
Previous By Date Next
Previous By Thread Next

Current thread: