lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 11 Dec 2006 16:20:43 -0800
From: Alexander Sotirov <asotirov@...ermina.com>
To: Juha-Matti Laurio <juha-matti.laurio@...ti.fi>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: The newest Word flaw is due to malformed data
	structure handling

Juha-Matti Laurio wrote:
> Related to the newest MS Word 0-day
> http://blogs.technet.com/msrc/archive/2006/12/10/new-report-of-a-word-zero-day.aspx
> 
> US-CERT Vulnerability Note VU#166700 released today lists the following
> new technical detail:
> 
> "Microsoft Word fails to properly handle malformed data structures
> allowing memory corruption to occur."
> http://www.kb.cert.org/vuls/id/166700

I appreciate your efforts to keep the community informed, but these kinds of
"technical details" are completely useless. It's not your fault, this has been a
long-standing problem with the information from coming from the likes of CERT
and MSRC.

Almost all Office vulnerabilities (and security issues in file parsers in
general) are a result of "malfromed data structures allowing memory corruption
to occur". Repeating this statement for every Word bug doesn't tell us anything new.

Descriptions of vulnerabilities, especially ones that are found in the wild,
should include enough information to allow researchers to uniquely identify the
new vulnerability and differentiate it from all other bugs, both known ones and
0days. Without that level of detail, you end up with this:
http://www.securityfocus.com/archive/1/443288


Alex

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists