TELECOM Digest OnLine - Sorted: Re: Back to Being a Luddite (Oh Well)


Re: Back to Being a Luddite (Oh Well)


DLR (news22@raleighthings.com)
Thu, 13 Jul 2006 03:10:15 -0400

sidd@situ.com wrote:

> In article <telecom25.255.8@telecom-digest.org>, mc
> <look@www.ai.uga.edu.for.address> wrote:

>> I don't think it does. Has anyone made measurements? Text files and
>> graphics don't have to be checked, only executable code.

> I believe there have been several overflows found in image processing
> libraries (jpeg,pdf,tiff...) used by popular browsers and image
> viewers.

> I am also aware of atleast one entirely text based attack on a hole in
> a java runtime engine.

> sidd

Yep. Buffer overruns are the biggest issue with web stuff. Shove more of
something than is expected at just the right time and a badly coded
something will barf or let it over write some code. And if that code can
later be forced to execute then you have a way to stuff your own code
into the system and have it execute. I saw a writeup about one of the
biggies that his MS servers a few years back and the actual inserted
code was maybe 20 or 40 characters. So it doesn't take much. And it
doesn't have to be "code" that your browser thinks it is being fed.
Text, graphics, code, etc ... are just lables. It's all bits.

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: DLR: "Re: Pre A/C Central Office Ventilation?"
Go to Previous message: ranck@vt.edu: "Re: Back to Being a Luddite (Oh Well)"
May be in reply to: hancock4@bbs.cpcn.com: "Back to Being a Luddite (Oh Well)"
Next in thread: hancock4@bbs.cpcn.com: "Re: Back to Being a Luddite (Oh Well)"
TELECOM Digest: Home Page