[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200308141957.h7EJvsLK010391@linus.mitre.org>
From: coley at mitre.org (Steven M. Christey)
Subject: Re: Microsoft MCWNDX.OCX ActiveX buffer overflow
Matthew Murphy asked:
>Has anyone actually seen this control in-the-wild? I have Visual C++
>6.0, and Visual Basic 6.0 installed here (full installs, IIRC), and a
>search for "*mcwndx*" on the entire hard drive (and the Visual C++ CD)
>turns up nothing.
It was also observed that "MCWNDX.OCX" isn't on Google either.
The original advisory lists both "MCWNDX.OCX" and "MCIWNDX.OCX," the
latter of which generates a number of hits on Google and is mentioned
in Microsoft KB article Q173352.
So, maybe the correct control name is "MCIWNDX.OCX," although Thor
Larholm said that the "MCWNDX.OCX binary is digitally signed by
Microsoft," so maybe there are two of them.
A surprisingly large percentage of security advisories have
significant typos, inconsistencies, or other mistakes like this, and
few people seem to notice or at least comment on it.
By the way, this is one of the many things that makes vulnerability
databases expensive to maintain (assuming that correctness is a
desirable feature of such databases).
- Steve
Powered by blists - more mailing lists