Michal Zalewski discovers another image rendering bug that crashes Internet Explorer. Virus.org says the flaw could be exploited by an attacker with a specially crafted JPEG picture to trigger a buffer overflow (code execution).
This portion of Zalewski's post is rather instructive:
"It is my experience that reporting and discussing security problems with Microsoft is a needlessly lengthy process that puts too much burden and effort on the researcher's end, especially if you just have a crash case, not a working exploit; hence, they did not get an advance notice."
skip to main |
skip to sidebar
An (outside) look at security in Microsoft's dominant operating system.
About Me
- Ryan Naraine
- I write about IT security issues/trends for eWEEK Magazine; I'm West Indian and I obsess about West Indies cricket.
My blog is mine. The opinions represented in this blog are mine as well and may not represent my employer's opinions.
Digg Security
- Microsoft Watch
- eWEEK Security
- MSRC Blog
- Exploit Prevention Labs
- Metasploit
- Stephen Toulouse (MSRC)
- Michael Howard
- John Pescatore
- Ben Edelman
- Bruce Schneier
- Matasano
- Donna Buenaventura
- WaPo SecurityFix
- F-Secure Weblog
- Kaspersky Lab
- ISC Sans Diary
- Sunbeltblog
- Honeyblog
- Jesper Johansson
- Paper Ghost
- Worm Blog
Blog Archive
-
▼
2005
(82)
-
▼
July
(39)
- MS05-036 Exploit Published
- Kaminsky on Security at Redmond
- Win2K Update Rollup Hiccups
- US-CERT Weekly Windows Security Summary
- 80 Super Security Tips
- Acquisitive Microsoft
- What’s The Use of Security Advisories?
- AOL's IE Browser
- Windows Anti-Spy Refresh
- Spyware at Cingular Store
- Support for Industry Patch Day
- Advisory/Workarounds for RDP Flaw
- Explaining Premature Disclosure for IE Flaw
- XP SP2 Zero-Day?
- Dell, Spyware and My Way
- SWI Team May Start Blogging
- Pre-Patch Investigations Explained
- Schneier on Microsoft/Claria Hubbub
- Patch Deluge Redux
- Still no RSS Feed for Advisories
- Windows XP SP2 Remote Kernel DoS Flaw
- Cybercrime *Not* Terrorism
- A Message for Microsoft
- MS/Claria Deal Dead
- Why You Need Multiple AntiSpyware Apps
- It's Raining Patches
- Multiple Vendors Patching Today
- Low Hopes for Anti Spyware Coalition
- Hacker Manifesto
- 19 Deadly Sins of Software Security
- Momentum for MS AntiSpyware Rethink
- Lazy People and Default Settings
- London Bombing Trojan
- Talking a Lot, Saying Nothing
- Unimpressed with Spyware Downgrade Explanation
- Ed Bott on MSAS Claria Downgrades
- eEye Spies More Windows Flaws
- MS AntiSpyware Bordering on Irrelevance
- Some Fatherly Advice for Sasser Sven
-
▼
July
(39)