funsec mailing list archives

How come security companies don't know how to write secure code?

From: "Richard M. Smith" <rms () computerbytesman com>
Date: Wed, 25 Jul 2007 19:15:48 -0500

What am I missing here?  Why does an intrusion detection software package
open up a system to intrusions?  Isn't it obvious that an ActiveX control
shouldn't allow a Web page to load a random DLL and call functions in the
DLL?

Richard

http://secunia.com/advisories/26134/

Some vulnerabilities have been reported in CA eTrust Intrusion Detection,
which can be exploited by malicious people to compromise a vulnerable
system.

The vulnerabilities are caused due to the CallCode (caller.dll) ActiveX
control including certain insecure methods, which allow loading of arbitrary
DLL files and calling the exported functions with controlled parameters.
This can be exploited to e.g. execute arbitrary code when a user visits a
malicious website.

The vulnerabilities affect the following products:
* eTrust Intrusion Detection 3.0
* eTrust Intrusion Detection 3.0 SP1

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

How come security companies don't know how to write secure code? Richard M. Smith (Jul 25)
- Re: How come security companies don't know how to write secure code? Gadi Evron (Jul 25)