btg - Slashdot User

Oracle Exec Strikes Out At 'Patch' Mentality 264

Posted by Zonk on Monday May 29, 2006 @04:40AM from the this-post-to-be-patched-later dept.

An anonymous reader writes "C|Net has an article up discussing comments by Oracle's Chief Security Officer railing against the culture of patching that exists in the software industry." From the article: "Things are so bad in the software business that it has become 'a national security issue,' with regulation of the industry currently on the agenda, she said. 'I did an informal poll recently of chief security officers on the CSO Council, and a lot of them said they really thought the industry should be regulated,' she said, referring to the security think tank."

Comment Re:It makes you wonder... (Score 1) 127

by btg on Tuesday January 10, 2006 @10:30PM (#14442678) Attached to: Two New WMF Bugs Found

Typically it's unusual to see ``just a crash.'' Most programmes written in C and C++ crash due to buffer overflows, which frequently lead to running unsigned code. As a general rule, if a C or C++ code crashes, it is a fairly likely possibility to be able to run arbitrary code. Just because nobody's done it yet doesn't mean that it's not possible.

If you actually code for a living you should stop right now. (living or coding, either way works for me).

The bugs demonstrated here are not buffer overflows. They are the other kind of common C/C++ bug, namely an invalid (in this case NULL) pointer dereference. Null pointer dereferencing bugs are rarely exploitable.

Sorry, but they're not null pointer dereferences, they're both integer errors which cause wacky but non-exploitable behaviour. For those who speak some assembly (clearly nobody in this subthread) the author's analysis can be found here:

http://www.securityfocus.com/archive/1/421257/30/3 0/threaded

Slashdot Top Deals