[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code
- To: Brian Eaton <eaton.lists@xxxxxxxxx>
- Subject: Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code
- From: "Pavel Kankovsky" <peak@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 29 Mar 2006 01:54:13 +0200 (CEST)
On Mon, 27 Mar 2006, Brian Eaton wrote:
> If I run a pure-java browser, for example, no web site's HTML code is
> going to cause a buffer overflow in the parser.
Even a "pure-java browser" would rest on the top of a huge pile of native
code (OS, JRE, native libraries). A seemingly innocent piece of data
passed to that native code might trigger a bug (perhaps even a buffer
overflow) in it...
Unlikely (read: less likely than a direct attack vector) but still
possible.
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/