|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IE 4.01 bugs in Win95 & WinNT. (long)
- To: NTBUGTRAQ
LISTSERV.NTBUGTRAQ.COM - Subject: Re: IE 4.01 bugs in Win95 & WinNT. (long)
- From: Jason Garms <jasongMICROSOFT.COM>
- Date: Mon, 16 Mar 1998 15:52:52 -0800
- Comments: To: David LeBlanc <dleblancISS.NET>
- Reply-To: Jason Garms <jasongMICROSOFT.COM>
- Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
When this bug was brought to our attention a few days ago, we did a thorough
analysis to determine if there was security-relevant exposure, such as a
stack overwrite, but there is nothing here that is exploitable.
We very much appreciate this having been brought to our attention, and it is
in the bug database and will be fixed as a standard bug in the next version.
I wish we could say that it was possible to write software that contains no
bugs, but that would be unrealistic.
Thanks,
-JasonG
Product Manager
Windows NT Security
Microsoft Corporation
-----Original Message-----
From: David LeBlanc [SMTP:dleblancISS.NET]
Sent: Monday, March 16, 1998 10:26 AM
To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
Subject: Re: IE 4.01 bugs in Win95 & WinNT. (long)
At 10:15 3/16/98 -0500, Abe L. Getchell wrote:
> Microsoft's position in this matter is, "The IE team has
put this
bug in
>the bug database, and it will be fixed in the next release or
service
>release." Personally, I think that bugs like these in commercial
>software are unacceptable, but I can understand why they took the
>position they did. As Russ said in an e-mail to me, "...and while
GP'ing
>your machine is not a good thing, you're not likely to return to
the site
>that caused it...". Make of it what you will... If you have any
>questions, feel free to contact me at agetchelkde.state.ky.us.
Thanks
>for listening...
Unless someone can come up with some way to use these bugs to cause
a stack
overwrite, then I'd have to agree that MS is doing the right thing.
Since
it doesn't appear to really be a security breach, and isn't
something we're
actually going to hit very often in the wild (i.e., a correctly
created web
page won't zap you), this constitutes a medium priority bug (IMHO),
which
should get fixed in the next rev, but isn't worth incurring the
considerable expense of QAing a full dot release.
-----------------------------------------------------------
David LeBlanc | Voice: (770)395-0150 x138
Internet Security Systems, Inc. | Fax: (770)395-1972
41 Perimeter Center East | E-Mail: dleblanciss.net
Suite 660 | www: http://www.iss.net/
Atlanta, GA 30328 |
- Prev by Date: Administrivia #8661
- Next by Date: MS Word connected to DB/2: Cleartext host uid & pwd in document!
- Prev by thread: Re: IE 4.01 bugs in Win95 & WinNT. (long)
- Next by thread: RRAS Hotfix semantics
- Index(es):