[funsec] I'm so excitied, I just can't hide it.......

Richard M. Smith rms at computerbytesman.com
Fri Apr 18 07:29:01 CDT 2008



 

When I see a null pointer bug in an application, I question how well the
application has been vetted for more dangerous security vulnerabilites.
OTOH, many vendors pooh-pooh null pointer bugs, because they don't allow
remote code execution.  Perhaps it is time for vendors to take these errors
more seriously?
 
Richard
 

 <http://tech.slashdot.org/tech/08/04/18/0436232.shtml> NULL Pointer Exploit
Excites Researchers 

Posted by Soulskill on Friday April 18, @05:18AM
from the ruh-roh-shaggy dept. 
 <http://slashdot.org/search.pl?tid=108> Java 
Da Massive writes "Mark Dowd's paper "Application-Specific Attacks:
Leveraging the ActionScript Virtual Machine" has alarmed researchers
<http://www.cio.com.au/index.php/id;342968942> . It points out techniques
that promise to open up a class of exploits and vulnerability research
previously thought to be prohibitively difficult. Already, the small but
growing group of Information Security experts who have had the chance to
read and digest the contents of the paper are expressing an excited concern
depending on how they are interpreting it. While the Flash vulnerability
described in the
<http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf> paper[PDF]
has been patched by Adobe, the presentation of a reliable exploit for NULL
pointer dereferencing has the researchers who have read the paper
fascinated. Thomas Ptacek has an explanation
<http://www.matasano.com/log/1032/this-new-vulnerability-dowds-inhuman-flash
-exploit/> of Dowd's work, and Nathan McFeters at ZDNet is 'stunned by the
technical  <http://blogs.zdnet.com/security/?p=1030> details.'" 
  <http://slashdot.org/login.pl> [+] security
<http://slashdot.org/tags/security> , java <http://slashdot.org/tags/java> ,
dowd <http://slashdot.org/tags/dowd> , null <http://slashdot.org/tags/null>
(tagging beta <http://slashdot.org/faq/tags.shtml> ) 

*	 <http://tech.slashdot.org/tech/08/04/18/0436232.shtml> Read More...


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://linuxbox.org/pipermail/funsec/attachments/20080418/ed7716ad/attachment.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1581 bytes
Desc: not available
Url : http://linuxbox.org/pipermail/funsec/attachments/20080418/ed7716ad/attachment.gif 


More information about the funsec mailing list