|
|
clipka wrote:
> flawed code which I assume would have been discovered earlier in a
> commercial environment
Interestingly, I can imagine this particular flaw might be easier to find by
a bad guy in proprietary code. You can look at the machine code to see
there's no check for NULL in that routine.
If the source code is available, how many people are really going to look at
the generated machine code to see if security checks were optimized out by
the compiler? Obviously someone did, or came across it by accident, or
something. (I didn't read the original original report.)
Just a thought...
How many routines in Linux look like they check for buffer overrun but don't
because the compiler did something wrong or unexpected? Of those, how many
will people notice, compared to the legions of people single-stepping thru
IE.exe with a debugger looking for flaws? :-)
--
Darren New, San Diego CA, USA (PST)
"We'd like you to back-port all the changes in 2.0
back to version 1.0."
"We've done that already. We call it 2.0."
Post a reply to this message
|
|