From owner-freebsd-security  Wed Aug 19 02:18:23 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id CAA14558
          for freebsd-security-outgoing; Wed, 19 Aug 1998 02:18:23 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from rucus.ru.ac.za (rucus.ru.ac.za [146.231.29.2])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id CAA14454
          for <security@FreeBSD.ORG>; Wed, 19 Aug 1998 02:17:32 -0700 (PDT)
          (envelope-from nbm@rucus.ru.ac.za)
Received: (qmail 19604 invoked by uid 1003); 19 Aug 1998 09:16:35 -0000
Message-ID: <19980819111635.A18535@rucus.ru.ac.za>
Date: Wed, 19 Aug 1998 11:16:35 +0200
From: Neil Blakey-Milner <nbm@rucus.ru.ac.za>
To: Michael Richards <026809r@dragon.acadiau.ca>, security@FreeBSD.ORG
Subject: Re: Why don't winblows program have buffer overruns?
References: <199808162301.UAA09103@dragon.acadiau.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <199808162301.UAA09103@dragon.acadiau.ca>; from Michael Richards on Sun, Aug 16, 1998 at 08:01:11PM -0300
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sun 1998-08-16 (20:01), Michael Richards wrote:
> Why aren't there buffer overruns for winblows that overrun the stack and
> execute nasty code? I realise that there is no way to get a shell, but being
> able to exec "format" is still a useful thing for a cracker to do on a
> windows box.

On Bugtraq recently, a Microsoft bulletin (MS98-011):
//------
Long strings do not normally occur in scripts and must be intentionally
created by someone with malicious intent. A skilled hacker could use this
malicious script message to run arbitrary computer code contained in the
long string.

The following software is affected by this vulnerability:
 - Microsoft Internet Explorer 4.0, 4.01, 4.01 SP1 on Windows 95
   and Windows NT 4.0
 - Microsoft Windows 98

Internet Explorer 4 for Windows 3.1, Windows NT 3.51, Macintosh and UNIX
(Solaris) are not affected by this problem. Internet Explorer 3.x is not
affected by this problem.
//------

Neil
-- 
Neil Blakey-Milner
nbm@rucus.ru.ac.za

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message