lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <200308141957.h7EJvsLK010391@linus.mitre.org> From: coley at mitre.org (Steven M. Christey) Subject: Re: Microsoft MCWNDX.OCX ActiveX buffer overflow Matthew Murphy asked: >Has anyone actually seen this control in-the-wild? I have Visual C++ >6.0, and Visual Basic 6.0 installed here (full installs, IIRC), and a >search for "*mcwndx*" on the entire hard drive (and the Visual C++ CD) >turns up nothing. It was also observed that "MCWNDX.OCX" isn't on Google either. The original advisory lists both "MCWNDX.OCX" and "MCIWNDX.OCX," the latter of which generates a number of hits on Google and is mentioned in Microsoft KB article Q173352. So, maybe the correct control name is "MCIWNDX.OCX," although Thor Larholm said that the "MCWNDX.OCX binary is digitally signed by Microsoft," so maybe there are two of them. A surprisingly large percentage of security advisories have significant typos, inconsistencies, or other mistakes like this, and few people seem to notice or at least comment on it. By the way, this is one of the many things that makes vulnerability databases expensive to maintain (assuming that correctness is a desirable feature of such databases). - Steve
Powered by blists - more mailing lists