Vulnerability Development mailing list archives
Re: Vulnerability Disclosure
From: Steve Shockley <steve.shockley () shockley net>
Date: Wed, 06 Jun 2007 20:11:18 -0400
matt.steer () marstons co uk wrote:
The bug is in an installer and malicious input is crafted then pasted into an input field which is copied into a buffer of insufficient size. The conditions of the exploit seem a little extreme to me, but it still results in code execution.
Does it cause execution as a different user than the one who runs setup.exe or whatever? If not, I'm not sure it's a vulnerability. A bug, sure, but if you can start setup.exe as the user, you can start yourprogram.exe as well.
Should all vulnerabilities be disclosed to a vendor (at least!) however high or low risk?
Personally, I report any bugs I find in software I care about to the vendor/author. What they choose to do with it is usually their problem.
Current thread:
- Vulnerability Disclosure matt . steer (Jun 06)
- Re: Vulnerability Disclosure Steve Shockley (Jun 07)
- Re: Vulnerability Disclosure Mauro Flores (Jun 07)
- <Possible follow-ups>
- Re: Vulnerability Disclosure Jonathan Leffler (Jun 07)
- Re: Vulnerability Disclosure Valdis . Kletnieks (Jun 08)
- Re: Vulnerability Disclosure Jonathan Leffler (Jun 08)
- Re: Vulnerability Disclosure Lincoln Yeoh (Jun 18)
- Re: Vulnerability Disclosure Valdis . Kletnieks (Jun 08)