Bugtraq mailing list archives
Re: Microsoft Security Bulletin MS01-012 (fwd)
From: Weld Pond <weld () ATSTAKE COM>
Date: Mon, 26 Feb 2001 17:49:27 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We have revised our Microsoft vCard advisory: http://www.atstake.com/research/advisories/2001/a022301-1.txt to credit Joel Moses [joelmoses () MINDSPRING COM] and list the related CVE candidate number CVE#CAN-2000-0756. We should have caught that posting when we did the research on this vulnerability. Joel's posting described the issue as a denial of service and that is what is listed as under CVE#CAN-2000-0756. Microsoft's hotfix policy, as I understand it, is to not produce hotfixes for client DoS problems. They do not consider them client security vulnerabilities. If the issue is a client vulnerability allowing execution of arbitrary code they will create a hotfix. We were able to execute arbitrary code with this overflow and provide Microsoft with a proof of concept. From this they decided it was a client vulnerability and created a hotfix. weld -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQA/AwUBOprdbqKvhX2AQSGyEQJtZACg5NuklFEpt35iYrSzeQIwIjtwMa8An0DY 2F5MGh1sq6jkrBFnwfq330Mj =iCuN -----END PGP SIGNATURE-----
Current thread:
- Re: Microsoft Security Bulletin MS01-012 (fwd) Weld Pond (Feb 27)