[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Microsoft Office Excel 2010 memory corruption
- To: Peter Ferrie <peter.ferrie@xxxxxxxxx>
- Subject: Re: [Full-disclosure] Microsoft Office Excel 2010 memory corruption
- From: Jeffrey Walton <noloader@xxxxxxxxx>
- Date: Mon, 29 Oct 2012 18:02:20 -0400
On Mon, Oct 29, 2012 at 5:54 PM, Peter Ferrie <peter.ferrie@xxxxxxxxx> wrote:
>>> No, it costs a lot of time and money to fix even one issue.
>>> We don't want to waste it on something that isn't exploitable.
>> There are at least four problems with this argument. First, the
>> argument basically says "defective software is OK."
>
> You've interpreted "don't want to waste it" as "won't fix it",
> extended it to suggest that it's an acceptable response, and then
> proceeded to attack that conclusion.
> Do you call the fire brigade if you see the smoke from a candle?
> No, but you might get someone in eventually to clean the soot from the
> ceiling.
Secure is an immigrant property of the system
(http://www.mail-archive.com/sc-l@xxxxxxxxxxxxxxxx/msg03639.html). How
can the program be secure if its not even stable?
Worst, its CompSci 101 mistakes - lack of parameter validation and
failure to check return values - and not some clever attack. To add
insult to injury, compiler warning, static analysis and dynamic
analysis will often report the issues but they are not used or
ignored.
Jeff
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/