Dailydave mailing list archives
Fonts of fun
From: Dave Aitel <dave () immunityinc com>
Date: Wed, 11 Jan 2006 08:19:20 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm not sure why Font means both "a source of something" and "the way letters look" in English. Personally, I think people are making the EOT bug sound harder than it is. I guess the lesson is: Buy BinNavi, stop whinging about da bugs. Piotr Bania basically gave the entire bug up blow by blow in his half-finished advisory (http://www.piotrbania.com/all/adv/MS06-002-adv.txt). Which reminds me... eEye's newsletter today said this about it: "Details of this flaw were first released today in conjunction with the Microsoft patch and within minutes, other researchers had reverse engineered the Microsoft patch and shared the details online, which means that this flaw may very well be used in an attack. The attack vector of this flaw is similar to the WMF flaw, in that a user must visit a malicious website containing the malicious font file." I'm fairly sure this is someone on the marketing team trying to put a bit of spin on it. It's clear that Piotr did not "reverse engineer the patch". He'd obviously had the bug for some time. It's always funny when people play the "Who had it first" game. Because if you are the kind of person who gave the bug up - you were not first. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFDxQXYB8JNm+PA+iURAliGAJ0VA2wZceEanNwQi+ylPJ1I80lPwgCgnPZV HQPW+r59pM2Ulf9iXCPuO+w= =hh1W -----END PGP SIGNATURE-----
Current thread:
- Fonts of fun Dave Aitel (Jan 11)
- RE: Fonts of fun Dave Korn (Jan 11)
- Re: Fonts of fun Daniele Muscetta (Jan 11)
- <Possible follow-ups>
- Re: Fonts of fun Piotr Bania (Jan 11)
- RE: Fonts of fun Marc Maiffret (Jan 11)
- RE: Fonts of fun, buckets of bugs Brett Moore (Jan 11)
- Re: Fonts of fun Piotr Bania (Jan 12)
- RE: Fonts of fun Dave Korn (Jan 11)