Vuln Dev
Vulnerability Disclosure Jun 05 2007 03:52AM
matt steer marstons co uk (2 replies)
Hi Guys,

I have been playing around with a program and have discovered a bug that I have successfully leveraged into code execution. I reported my findings to the vendor, not yet receiving a reply; this is the first time I have done this.

The bug is in an installer and malicious input is crafted then pasted into an input field which is copied into a buffer of insufficient size. The conditions of the exploit seem a little extreme to me, but it still results in code execution.

The fact that it is in an installer, hence most likely requiring Admin rights, and is a local exploit the risk of this vulnerability being exploited seems low (too me, not being a risk assessor!) .

This brings me to my question;

Should all vulnerabilities be disclosed to a vendor (at least!) however high or low risk?

I?ve never been a believer in ?Security through Obscurity?, but do the people think there comes a point when it may just be a waste of time?

To be honest; I hope not!

Matthew Steer

[ reply ]
Re: Vulnerability Disclosure Jun 07 2007 01:09PM
Mauro Flores (almauri cs com uy)
Re: Vulnerability Disclosure Jun 07 2007 12:11AM
Steve Shockley (steve shockley shockley net)


 

Privacy Statement
Copyright 2010, SecurityFocus