Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Microsoft Office Excel 2010 memory corruption
From: Kelvin White <kelvin.white77 () gmail com>
Date: Mon, 29 Oct 2012 23:31:42 -0400

is the GNAA he's referring to the same trolls we all know and love?
On Oct 29, 2012 6:02 PM, "Jeffrey Walton" <noloader () gmail com> wrote:

On Mon, Oct 29, 2012 at 5:54 PM, Peter Ferrie <peter.ferrie () gmail com>
wrote:
No, it costs a lot of time and money to fix even one issue.
We don't want to waste it on something that isn't exploitable.
There are at least four problems with this argument. First, the
argument basically says "defective software is OK."

You've interpreted "don't want to waste it" as "won't fix it",
extended it to suggest that it's an acceptable response, and then
proceeded to attack that conclusion.
Do you call the fire brigade if you see the smoke from a candle?
No, but you might get someone in eventually to clean the soot from the
ceiling.
Secure is an immigrant property of the system
(http://www.mail-archive.com/sc-l () securecoding org/msg03639.html). How
can the program be secure if its not even stable?

Worst, its CompSci 101 mistakes - lack of parameter validation and
failure to check return values - and not some clever attack. To add
insult to injury, compiler warning, static analysis and dynamic
analysis will often report the issues but they are not used or
ignored.

Jeff

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]