New Win buffer-overflow flaw

Subject: New Win buffer-overflow flaw
From: Gary Stoneburner <gary.stoneburner@nist.gov>
Date: Tue, 15 Jul 2003 08:48:06 -0400
Content-Type: multipart/alternative; boundary="=====================_85075109==.ALT"

re: http://www.msnbc.com/news/936840.asp?0dm=N228T

"THE MOST SERIOUS of the flaws is what is known as a buffer overrun vulnerability, which could allow an attacker to use an unchecked buffer to run their own executable code. This flaw, located in the HTML converter in Microsoft’s Windows operating system, could be used by hackers to spread the code either by sending an HTML e-mail or by creating a special Web page that triggers a download of the code."

1. If the finder had chosen not to post his finding, we'd just be hosed!

2. Report correctly refers to this as a new "flaw" instead of a new "vulnerability". The vulnerability is use of software with so many flaws, THE vulnerability is not each of the perhaps 1000's of flaws which are continually being discovered.

Cheers,
Gary

************************************************************************** * Opinions expressed are not intended to reflect an official position ************************************************************************** * Gary Stoneburner
* Computer Security Division, National Institute of Standards & Technology
* 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899-8930
* Phone: 301-975-5394, FAX: 301-948-0279, Email: Stoneburner@nist.gov
* http://csrc.nist.gov/staff/stoneburner/gshome.html
**************************************************************************

Prev by Date: The good old buffer-overflow remains popular
Next by Date: Exploit code lurks for Cisco flaw
Prev by thread: Exploit code lurks for Cisco flaw
Next by thread: The good old buffer-overflow remains popular

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov