[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
- To: "Daniel Veditz" <dveditz@xxxxxxxxxx>, "George Ou" <george_ou@xxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
- From: "Larry Seltzer" <Larry@xxxxxxxxxxxxxxxx>
- Date: Tue, 3 Apr 2007 21:51:45 -0400
Alex had said that he was exploiting this bug on Firefox, even though
the Firefox docs say it should be impossible. I'm just trying to
understand how his claims are possible.
There's no reason to believe the Firefox developers need to do anything.
IE, for example, is fixed when the ANI code in GDI is fixed.
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry%5Fseltzer/
Contributing Editor, PC Magazine
larryseltzer@xxxxxxxxxxxxx
-----Original Message-----
From: Daniel Veditz [mailto:dveditz@xxxxxxxxxx]
Sent: Tuesday, April 03, 2007 9:47 PM
To: George Ou
Cc: Larry Seltzer; 'Alexander Sotirov';
full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
George Ou wrote:
> The patch for ANI is out from Microsoft. I'm assuming the question is
> if we will see this technique for Firefox exploitation posted now?
Why? That would needlessly put Firefox users at risk -- not everyone
will be able to apply the Windows patch immediately. Microsoft may have
had since December to craft a patch, but the Firefox team hasn't.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/