lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <200604210644.k3L6iYgg051283@mailserver3.hushmail.com>
Date: Fri Apr 21 07:44:44 2006
From: 0x80 at hush.ai (0x80@...h.ai)
Subject: selling ms office bug 

Ahaha.

Not really because I am pretty sure that he is talking about either 
an unpatched PPT overflow (malformed powerpoint file) or perhaps 
even an older one that was found and never reported to MS in Visio.

I do understand that its easy to trick users into clicking on 
something to be owned and yes you can embed any office document in 
html and have it auto-execute but these types of vulnerabilities 
are as common as lame XSS vulns or rambling n3td3v posts. 

Have you ever ran tests on IE?  I can crash IE in thousands of ways 
with malformed content.  Some might be exploitable, most are null 
pointers.  But the point is... these issues will probably always 
exists and there is no real defense against tricking a user into 
doing something.

By the way, I am typing this email after spending the day at the 
beach in 35 celsius weather getting a sunburn so if they want to 
join me they can. heh

On Thu, 20 Apr 2006 23:25:41 -0700 Valdis.Kletnieks@...edu wrote:
>On Thu, 20 Apr 2006 22:05:23 PDT, 0x80@...h.ai said:
>> You open a file and shellcode runs?
>
>> Wow... hey guys I have a executable to sell.. all you need to do 

>is
>> get the user to open it and the code runs compromising the
>> system...
>
>> sigh......
>
>You're just jealous because he's probably going to make enough 
>money to
>pay for a nice trip to the tropical beach of his choice, *and* be 
>able
>to brag about how he pwn'ed a whole mess of white hat's boxes and 
>got
>away with it.. ;)



Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ