[VIM] odd Macromedia wording
Steven M. Christey
coley at linus.mitre.org
Wed Nov 16 07:43:41 EST 2005
On Wed, 16 Nov 2005, security curmudgeon wrote:
> The Breeze Communication Server and Breeze Live Server do not
> sufficiently validate some RTMP data. This can cause server instability
> or crashes for licensed customers.
I thought you were gonna complain about the "validate" phrase. That could
mean anything. "Validation" as a concept has, at best, many different
definitions. Does it not handle syntactically invalid inputs? In what
specific way is it syntactically invalid, e.g. missing an argument, having
extra separator characters, open/closing sequences in the wrong order,
etc.? Or do they mean "semantically" invalid (whatever THAT means).
The lack of these kinds of details makes it more difficult to understand
the specific programming error and/or associated attacker manipulations.
Some vendors might not want to provide such details because of the belief
that it makes it easier to construct functioning exploits, but I've seen
the "invalid" term used by vendors who don't normally hide such details.
Then again, I could imagine that most sysadmins wouldn't care about such
specifics.
- Steve
More information about the VIM
mailing list