lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200308141957.h7EJvsLK010391@linus.mitre.org>
From: coley at mitre.org (Steven M. Christey)
Subject: Re: Microsoft MCWNDX.OCX ActiveX buffer overflow

Matthew Murphy asked:

>Has anyone actually seen this control in-the-wild?  I have Visual C++
>6.0, and Visual Basic 6.0 installed here (full installs, IIRC), and a
>search for "*mcwndx*" on the entire hard drive (and the Visual C++ CD)
>turns up nothing.

It was also observed that "MCWNDX.OCX" isn't on Google either.

The original advisory lists both "MCWNDX.OCX" and "MCIWNDX.OCX," the
latter of which generates a number of hits on Google and is mentioned
in Microsoft KB article Q173352.

So, maybe the correct control name is "MCIWNDX.OCX," although Thor
Larholm said that the "MCWNDX.OCX binary is digitally signed by
Microsoft," so maybe there are two of them.

A surprisingly large percentage of security advisories have
significant typos, inconsistencies, or other mistakes like this, and
few people seem to notice or at least comment on it.

By the way, this is one of the many things that makes vulnerability
databases expensive to maintain (assuming that correctness is a
desirable feature of such databases).

- Steve

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ