[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAH8yC8=PMgjiHM5LwHBKutuk4otM3JPdFv6FP4A4XC-T4PfZaQ@mail.gmail.com>
Date: Mon, 29 Oct 2012 18:02:20 -0400
From: Jeffrey Walton <noloader@...il.com>
To: Peter Ferrie <peter.ferrie@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Microsoft Office Excel 2010 memory corruption
On Mon, Oct 29, 2012 at 5:54 PM, Peter Ferrie <peter.ferrie@...il.com> wrote:
>>> No, it costs a lot of time and money to fix even one issue.
>>> We don't want to waste it on something that isn't exploitable.
>> There are at least four problems with this argument. First, the
>> argument basically says "defective software is OK."
>
> You've interpreted "don't want to waste it" as "won't fix it",
> extended it to suggest that it's an acceptable response, and then
> proceeded to attack that conclusion.
> Do you call the fire brigade if you see the smoke from a candle?
> No, but you might get someone in eventually to clean the soot from the ceiling.
Secure is an immigrant property of the system
(http://www.mail-archive.com/sc-l@securecoding.org/msg03639.html). How
can the program be secure if its not even stable?
Worst, its CompSci 101 mistakes - lack of parameter validation and
failure to check return values - and not some clever attack. To add
insult to injury, compiler warning, static analysis and dynamic
analysis will often report the issues but they are not used or
ignored.
Jeff
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists