Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Microsoft Security Bulletin MS01-012 (fwd)

From: Weld Pond <weld () ATSTAKE COM>
Date: Mon, 26 Feb 2001 17:49:27 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


We have revised our Microsoft vCard advisory:
http://www.atstake.com/research/advisories/2001/a022301-1.txt
to credit Joel Moses [joelmoses () MINDSPRING COM] and list the related CVE
candidate number CVE#CAN-2000-0756. We should have caught that posting when
we did the research on this vulnerability.

Joel's posting described the issue as a denial of service and that is what
is listed as under CVE#CAN-2000-0756. Microsoft's hotfix policy, as I
understand it, is to not produce hotfixes for client DoS problems.  They do
not consider them client security vulnerabilities. If the issue is a client
vulnerability allowing execution of arbitrary code they will create a
hotfix.  We were able to execute arbitrary code with this overflow and
provide Microsoft with a proof of concept.  From this they decided it was a
client vulnerability and created a hotfix.

weld


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBOprdbqKvhX2AQSGyEQJtZACg5NuklFEpt35iYrSzeQIwIjtwMa8An0DY
2F5MGh1sq6jkrBFnwfq330Mj
=iCuN
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: