funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How come security companies don't know how to write secure code?

From: Gadi Evron <ge () linuxbox org>
Date: Thu, 26 Jul 2007 00:04:41 -0500 (CDT)
On Wed, 25 Jul 2007, Richard M. Smith wrote:

What am I missing here?  Why does an intrusion detection software package
open up a system to intrusions?  Isn't it obvious that an ActiveX control
shouldn't allow a Web page to load a random DLL and call functions in the
DLL?
It's a product, built to marketing specifications and to ship as soon as possible. So what if it's a security product? 




Richard

http://secunia.com/advisories/26134/

Some vulnerabilities have been reported in CA eTrust Intrusion Detection,
which can be exploited by malicious people to compromise a vulnerable
system.

The vulnerabilities are caused due to the CallCode (caller.dll) ActiveX
control including certain insecure methods, which allow loading of arbitrary
DLL files and calling the exported functions with controlled parameters.
This can be exploited to e.g. execute arbitrary code when a user visits a
malicious website.

The vulnerabilities affect the following products:
* eTrust Intrusion Detection 3.0
* eTrust Intrusion Detection 3.0 SP1

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: