lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-id: <49FAE0EE.26317.4D86C14@nick.virus-l.demon.co.uk>
Date: Fri, 01 May 2009 11:45:50 +1200
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: bugtraq@...urityfocus.com
Subject: Re: Symantec Fax Viewer Control v10 (DCCFAXVW.DLL) remote buffer
 overflow exploit

Symantec Product Security Team <secure@...antec.com> wrote:

> Symantec discontinued sales and support for Winfax Pro in early 2006. 
> As such, there will be no further updates to the product. 
> 
> Anyone running a legacy version of this product and concerned about
> this issue may want to follow the procedures outlined in MSKB 240797
> http://support.microsoft.com/kb/240797 to set the killbit for this
> control to prevent it from being called. 

As you're effectively saying you've abandoned the product, might not 
the best course of action be for you to ask MS to add that its Patch 
Tuesday third-party killbit list so it is done for those who don't now 
better?  That is, those who need the most help?

That's what I'd consider the reasonable thing to do, _particularly_ for 
a security product developer.  Hopefully MS can get it into the next 
patch kit (probably unlikely now?) before someone takes the published 
PoC and adds it to one or more of the various web exploitation kits out 
there...


Regards,

Nick FitzGerald


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ