Dailydave mailing list archives
Re: RE: Microsoft silently fixes security vulnerabilities
From: Nick DeBaggis <ndebaggis () verizon net>
Date: Sun, 23 Apr 2006 11:13:52 -0400
Chris Anley wrote:
As someone fixing an overflow (say), if I apply a 'gating' validation to some input string near the point that string is received and reject input greater than some presumably safe length, I have not only fixed the reported bug but also probably a number of related bugs in other code further down the call tree that I'm unaware of, maybe because someone else in my company wrote it, or because it's in third-party code, or even in a third party binary.
But you've only fixed the 'related' bugs if your validation gate is the only entry point into that particular call tree. If that code path can be hit from a different direction then those related bugs may still be viable. The third-party aspect makes this especially interesting since your validation gate may only be masking the other related bugs in the third-party code, which may cause other users of that third-party code to wrongly assume it is secure as well.
The problem is that neither I (the developer following best practice)nor the vulnerability researcher, nor anyone writing NIPS/HIPS knows what bugs were actually fixed by my input validation.
Nor does anyone know what bugs or how many were only masked out by it. Nick
Current thread:
- Microsoft silently fixes security vulnerabilities Marc_Bevand (Apr 15)
- <Possible follow-ups>
- RE: Microsoft silently fixes security vulnerabilities Steve Manzuik (Apr 17)
- RE: Microsoft silently fixes security vulnerabilities Ari Takanen (Apr 19)
- Re: RE: Microsoft silently fixes security vulnerabilities H D Moore (Apr 21)
- Re: RE: Microsoft silently fixes security vulnerabilities Chris Anley (Apr 23)
- Re: RE: Microsoft silently fixes security vulnerabilities Nick DeBaggis (Apr 23)
- Re: RE: Microsoft silently fixes security vulnerabilities Chris Anley (Apr 24)
- Re: RE: Microsoft silently fixes security vulnerabilities H D Moore (Apr 21)
- Re: RE: Microsoft silently fixes security vulnerabilities Bryan Burns (Apr 21)
- Re: RE: Microsoft silently fixes security vulnerabilities Pusscat (Apr 21)