funsec mailing list archives
How come security companies don't know how to write secure code?
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Wed, 25 Jul 2007 19:15:48 -0500
What am I missing here? Why does an intrusion detection software package open up a system to intrusions? Isn't it obvious that an ActiveX control shouldn't allow a Web page to load a random DLL and call functions in the DLL? Richard http://secunia.com/advisories/26134/ Some vulnerabilities have been reported in CA eTrust Intrusion Detection, which can be exploited by malicious people to compromise a vulnerable system. The vulnerabilities are caused due to the CallCode (caller.dll) ActiveX control including certain insecure methods, which allow loading of arbitrary DLL files and calling the exported functions with controlled parameters. This can be exploited to e.g. execute arbitrary code when a user visits a malicious website. The vulnerabilities affect the following products: * eTrust Intrusion Detection 3.0 * eTrust Intrusion Detection 3.0 SP1 _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- How come security companies don't know how to write secure code? Richard M. Smith (Jul 25)
- Re: How come security companies don't know how to write secure code? Gadi Evron (Jul 25)