[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Security Bug in MSVC

To: "Joachim Schipper" <j.schipper@xxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Security Bug in MSVC
From: "Morning Wood" <se_cur_ity@xxxxxxxxxxx>
Date: Wed, 18 Jan 2006 11:25:31 -0800

> In all this, I am discounting the fact that if someone is building
> untrusted sources, (s)he is most likely going to run the untrusted
> program afterwards.

this does not run an untrusted program.
if you noted, I named it a "feature bug"
and my poc is a simple "hello world" sample

Judging from MS extensive information to me,direct from MSRC, this is an
issue.
remote code can be pulled in and executed without any
notice or warning to the user.
I am not leveraging directives for CPP ( cc is the Makefile eqiv)

MSVC tends to hide ( especially these actions ) to the end user.

cheers,
Donnie
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Security Bug in MSVC
  - From: Morning Wood
- Re: [Full-disclosure] Security Bug in MSVC
  - From: Joachim Schipper

Prev by Date: RE: [Full-disclosure] Vulnerability/Penetration Testing Tools
Next by Date: Re: [Full-disclosure] Question for the Windows pros
Previous by thread: Re: [Full-disclosure] Security Bug in MSVC
Next by thread: Re: [Full-disclosure] Security Bug in MSVC
Index(es):
- Date
- Thread