[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Vulnerability Disclosure

matt.steer@xxxxxxxxxxxxxx wrote:
The bug is in an installer and malicious input is crafted then pasted
into an input field which is copied into a buffer of insufficient
size. The conditions of the exploit seem a little extreme to me, but
it still results in code execution.

Does it cause execution as a different user than the one who runs setup.exe or whatever? If not, I'm not sure it's a vulnerability. A bug, sure, but if you can start setup.exe as the user, you can start yourprogram.exe as well.

Should all vulnerabilities be disclosed to a vendor (at least!)
however high or low risk?

Personally, I report any bugs I find in software I care about to the vendor/author. What they choose to do with it is usually their problem.