From: Steve Shockley (steve.shockleyshockley.net)
Date: Wed Jun 06 2007 - 19:11:18 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

matt.steermarstons.co.uk wrote:
> The bug is in an installer and malicious input is crafted then pasted
> into an input field which is copied into a buffer of insufficient
> size. The conditions of the exploit seem a little extreme to me, but
> it still results in code execution.

Does it cause execution as a different user than the one who runs
setup.exe or whatever? If not, I'm not sure it's a vulnerability. A
bug, sure, but if you can start setup.exe as the user, you can start
yourprogram.exe as well.

> Should all vulnerabilities be disclosed to a vendor (at least!)
> however high or low risk?

Personally, I report any bugs I find in software I care about to the
vendor/author. What they choose to do with it is usually their problem.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]