lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <BC77491260F944DCB22ADF4801CB40A0@fairfax.phra.com>
Date: Mon, 8 Oct 2007 10:24:38 -0400
From: "Jim Slora" <Jim.Slora@...a.com>
To: <bugtraq@...urityfocus.com>
Subject: RE: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype

Roger A. Grimes wrote Friday, October 05, 2007 3:54 PM


> I'm asking, with genuine interest and a listening ear, what is the best 
> long term
> solution you envision, to solve the larger problem?

Apparently the long term solution is for third-party apps to point blame at 
Microsoft, and for Microsoft to point blame at third-party apps. They are 
both right except in absolving themselves.

To start with this problem does not exist under IE6, regardless of 
third-party protocol handler vulnerability. So the question is, why did it 
open up after installing IE7? This portion is for Microsoft to address - 
either it is a required consequence of new functionality that they should 
reconsider, or it is a mistake that they should fix.

The individual third-party applications also need to sanitize their input of 
course.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ