Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Update: Web browsers - a mini-farce (MSIE gives in)

from [Tim Newsham] Network Security [Permanent Link]
Subject: RE: Update: Web browsers - a mini-farce (MSIE gives in)
Date: Fri, 29 Oct 2004 09:30:54 -1000 (HST) 
From: Tim Newsham [mailto:newsham@lava.net]



But lets assume that a good programmer is writing software and
it comes to his attention that there is a buffer overflow, or
that user input is not being filtered, or that user input is being
passed to a printf type function.  What happens next?  Well, it
depends on how many bugs there are, how much other work needs
to be done, and very importantly, what the perceived impact of
that bug is.  You cannot imagine how many times a bug is pointed
out and the author of the software says "ok, that bug can only
happen if the user does something stupid, and it is not exploitable.
Lets defer that one."


This suggests that it's reasonable for a program to segfault because the
user made a mistake, instead of having some non-fatal form of error
handling.  I don't think that should be acceptable at all, though I agree
it's very common.  If I had a dollar for every time I've lost work because a
segfault or GPF happened before I saved my document...


A "defer" means "we'll fix it, but we have more important things to
do first."   I wouldn't say its an acceptance that its "reasonable"
behavior.

Tim N.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: New URL spoofing bug in Microsoft Internet Explorer, GuidoZ
Next by Date:  RE: Update: Web browsers - a mini-farce (MSIE gives in), Tim Newsham
Previous by Thread:  Re: Update: Web browsers - a mini-farce (MSIE gives in), infamous41md
Next by Thread:  Mozilla Firefox (tested on 0.9.3) html-code crash., ducch apple
Indexes:  [Date] [Thread] [Top] [All Lists]