Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Microsoft Office Excel 2010 memory corruption
From: Jeffrey Walton <noloader () gmail com>
Date: Mon, 29 Oct 2012 18:02:20 -0400

On Mon, Oct 29, 2012 at 5:54 PM, Peter Ferrie <peter.ferrie () gmail com> wrote:
No, it costs a lot of time and money to fix even one issue.
We don't want to waste it on something that isn't exploitable.
There are at least four problems with this argument. First, the
argument basically says "defective software is OK."

You've interpreted "don't want to waste it" as "won't fix it",
extended it to suggest that it's an acceptable response, and then
proceeded to attack that conclusion.
Do you call the fire brigade if you see the smoke from a candle?
No, but you might get someone in eventually to clean the soot from the ceiling.
Secure is an immigrant property of the system
(http://www.mail-archive.com/sc-l () securecoding org/msg03639.html). How
can the program be secure if its not even stable?

Worst, its CompSci 101 mistakes - lack of parameter validation and
failure to check return values - and not some clever attack. To add
insult to injury, compiler warning, static analysis and dynamic
analysis will often report the issues but they are not used or


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]