Vulnerability Development mailing list archives
Vulnerability Disclosure
From: matt.steer () marstons co uk
Date: 5 Jun 2007 03:52:13 -0000
Hi Guys, I have been playing around with a program and have discovered a bug that I have successfully leveraged into code execution. I reported my findings to the vendor, not yet receiving a reply; this is the first time I have done this. The bug is in an installer and malicious input is crafted then pasted into an input field which is copied into a buffer of insufficient size. The conditions of the exploit seem a little extreme to me, but it still results in code execution. The fact that it is in an installer, hence most likely requiring Admin rights, and is a local exploit the risk of this vulnerability being exploited seems low (too me, not being a risk assessor!) . This brings me to my question; Should all vulnerabilities be disclosed to a vendor (at least!) however high or low risk? Ive never been a believer in Security through Obscurity, but do the people think there comes a point when it may just be a waste of time? To be honest; I hope not! Matthew Steer
Current thread:
- Vulnerability Disclosure matt . steer (Jun 06)
- Re: Vulnerability Disclosure Steve Shockley (Jun 07)
- Re: Vulnerability Disclosure Mauro Flores (Jun 07)
- <Possible follow-ups>
- Re: Vulnerability Disclosure Jonathan Leffler (Jun 07)
- Re: Vulnerability Disclosure Valdis . Kletnieks (Jun 08)
- Re: Vulnerability Disclosure Jonathan Leffler (Jun 08)
- Re: Vulnerability Disclosure Lincoln Yeoh (Jun 18)
- Re: Vulnerability Disclosure Valdis . Kletnieks (Jun 08)