Vuln Dev
Vulnerability Disclosure Jun 05 2007 03:52AM
matt steer marstons co uk (2 replies)
Re: Vulnerability Disclosure Jun 07 2007 01:09PM
Mauro Flores (almauri cs com uy)
Re: Vulnerability Disclosure Jun 07 2007 12:11AM
Steve Shockley (steve shockley shockley net)
matt.steer (at) marstons.co (dot) uk [email concealed] wrote:
> The bug is in an installer and malicious input is crafted then pasted
> into an input field which is copied into a buffer of insufficient
> size. The conditions of the exploit seem a little extreme to me, but
> it still results in code execution.

Does it cause execution as a different user than the one who runs
setup.exe or whatever? If not, I'm not sure it's a vulnerability. A
bug, sure, but if you can start setup.exe as the user, you can start
yourprogram.exe as well.

> Should all vulnerabilities be disclosed to a vendor (at least!)
> however high or low risk?

Personally, I report any bugs I find in software I care about to the
vendor/author. What they choose to do with it is usually their problem.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus