Comment Re:boring? (Score 1) 327
I've read the article (the topic is always interesting, and Ptacek is well-known in the security world). I must have missed something, because I still see the problem as a combination of really lousy programming* from the Flash guys, plus a bunch of cute hacks from Dowd to overcome the exploit limitations.
From the article:
"It then uses that pointer [the NULL pointer] with an offset controlled by the attacker."
Well, what's left to say? If you allow extraneous information to set the offset of an address in memory, you're dead meat, period.
Best,
*I definitely agree with Ptacek's comment on how malloc() should always be checked. I still think that the default one should remain unsafe (too much old code may depend on this), and instead libraries should provide a safe_malloc() that punts on failure.
From the article:
"It then uses that pointer [the NULL pointer] with an offset controlled by the attacker."
Well, what's left to say? If you allow extraneous information to set the offset of an address in memory, you're dead meat, period.
Best,
*I definitely agree with Ptacek's comment on how malloc() should always be checked. I still think that the default one should remain unsafe (too much old code may depend on this), and instead libraries should provide a safe_malloc() that punts on failure.
