'Re: [Full-Disclosure] RE: [Symantec Security Advisor] Symantec Security Check ActiveX Buffer Overflo'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [Full-Disclosure] RE: [Symantec Security Advisor] Symantec Security Check ActiveX Buffer Overflo
From:       Cesar <cesarc56 () yahoo ! com>
Date:       2003-06-30 17:06:35
[Download RAW message or body]

Anyone want to exploit the bug? 
Symantec is very happy to help attackers:

http://enterprisesecurity.symantec.com/SecurityServices/content.cfm?ArticleID=682&EID="><script>alert()</script>

Cesar.

--- Jason Coombs <jasonc@science.org> wrote:
> Aloha, Symantec Security.
> 
> Two questions:
> 
> 1) Does this ActiveX control bear a digital
> signature? If so, the problem it
> causes does not go away simply because there is a
> new version available from
> Symantec. An attacker in possession of the bad code
> with its attached digital
> signature can fool a victim whose computer does not
> currently have the
> vulnerable code installed into trusting the ActiveX
> control due to the fact
> that Symantec's digital signature will validate
> against the trusted root CA
> certificate present by default in Windows -- the
> existence of the digital
.....

__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic