lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20060328235413.23659.qmail@paddy.troja.mff.cuni.cz>
Date: Wed Mar 29 01:43:19 2006
From: peak at argo.troja.mff.cuni.cz (Pavel Kankovsky)
Subject: 4 Questions: Latest IE vulnerability, Firefox
	vs IE security, User vs Admin risk profile, and browsers coded in 100%
	Managed Verifiable code

On Mon, 27 Mar 2006, Brian Eaton wrote:

> If I run a pure-java browser, for example, no web site's HTML code is
> going to cause a buffer overflow in the parser.

Even a "pure-java browser" would rest on the top of a huge pile of native
code (OS, JRE, native libraries). A seemingly innocent piece of data
passed to that native code might trigger a bug (perhaps even a buffer
overflow) in it...

Unlikely (read: less likely than a direct attack vector) but still
possible.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ