|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Dailydave] RE: Microsoft silently fixes security vulnerabilities
From: Chris Anley (chris
ngssoftware.com)
Date: Mon Apr 24 2006 - 03:46:17 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
>> <snipped 'input validation fixes some bugs related to the input'>
Nick DeBaggis wrote:
> But you've only fixed the 'related' bugs if your validation gate is the
> only entry point into that particular call tree. If that code path can
> be hit from a different direction then those related bugs may still be
> viable. The third-party aspect makes this especially interesting since
> your validation gate may only be masking the other related bugs in the
> third-party code, which may cause other users of that third-party code
> to wrongly assume it is secure as well.
Sure, but my point is, some bugs are fixed.
>> The problem is that neither I (the developer following best practice)
>> nor the vulnerability researcher, nor anyone writing NIPS/HIPS knows
>> what bugs were actually fixed by my input validation.
>
> Nor does anyone know what bugs or how many were only masked out by it.
All of which is entirely true. The only point I was trying to make was
that some silent fixes are inadvertent.
You're right though, and there's a really long thread we could get into
about how people should code, relating to the definition of a bug (does
strcpy have a bug?), input validation of parameters in every function
and security implications of code re-use, but I'm not sure I want to
inflict that on the good people of dailydave, especially on a Monday
morning, pre-caffeinated.
-chris.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]