| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 3 Apr 2007 21:51:45 -0400 From: "Larry Seltzer" <Larry@...ryseltzer.com> To: "Daniel Veditz" <dveditz@...zio.com>, "George Ou" <george_ou@...architect.net> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Windows .ANI LoadAniIcon Stack Overflow Alex had said that he was exploiting this bug on Firefox, even though the Firefox docs say it should be impossible. I'm just trying to understand how his claims are possible. There's no reason to believe the Firefox developers need to do anything. IE, for example, is fixed when the ANI code in GDI is fixed. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry%5Fseltzer/ Contributing Editor, PC Magazine larryseltzer@...fdavis.com -----Original Message----- From: Daniel Veditz [mailto:dveditz@...zio.com] Sent: Tuesday, April 03, 2007 9:47 PM To: George Ou Cc: Larry Seltzer; 'Alexander Sotirov'; full-disclosure@...ts.grok.org.uk Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow George Ou wrote: > The patch for ANI is out from Microsoft. I'm assuming the question is > if we will see this technique for Firefox exploitation posted now? Why? That would needlessly put Firefox users at risk -- not everyone will be able to apply the Windows patch immediately. Microsoft may have had since December to craft a patch, but the Firefox team hasn't. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists