[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Vulnerability Disclosure
The bug is in an installer and malicious input is crafted then pasted
into an input field which is copied into a buffer of insufficient
size. The conditions of the exploit seem a little extreme to me, but
it still results in code execution.
Does it cause execution as a different user than the one who runs
setup.exe or whatever? If not, I'm not sure it's a vulnerability. A
bug, sure, but if you can start setup.exe as the user, you can start
yourprogram.exe as well.
Should all vulnerabilities be disclosed to a vendor (at least!)
however high or low risk?
Personally, I report any bugs I find in software I care about to the
vendor/author. What they choose to do with it is usually their problem.