| Re: Back to Being a Luddite (Oh Well) |
|---|
> In article <telecom25.255.8@telecom-digest.org>, mc
> <look@www.ai.uga.edu.for.address> wrote:
>> I don't think it does. Has anyone made measurements? Text files and
>> graphics don't have to be checked, only executable code.
> I believe there have been several overflows found in image processing
> libraries (jpeg,pdf,tiff...) used by popular browsers and image
> viewers.
> I am also aware of atleast one entirely text based attack on a hole in
> a java runtime engine.
> sidd
Yep. Buffer overruns are the biggest issue with web stuff. Shove more of
something than is expected at just the right time and a badly coded
something will barf or let it over write some code. And if that code can
later be forced to execute then you have a way to stuff your own code
into the system and have it execute. I saw a writeup about one of the
biggies that his MS servers a few years back and the actual inserted
code was maybe 20 or 40 characters. So it doesn't take much. And it
doesn't have to be "code" that your browser thinks it is being fed.
Text, graphics, code, etc ... are just lables. It's all bits.