[VIM] Blaming product vendors for other vendors' "features"

Steven M. Christey coley at linus.mitre.org
Tue Oct 25 21:28:17 EDT 2005


On Tue, 25 Oct 2005, security curmudgeon wrote:

> So far, we're making seperate entries but I recognized this recently and
> wondered. Before this, the other possibly similar thing that came up was
> some XSS vulns that only occur if the victim uses MSIE.

I was thinking about that in general.  Netscape had some of its own
unusual constructs that would escape normal XSS filters.

But you see this kind of stuff all over the place in A-V, even with
corrupted files that are rejected by most - but not all - tools (e.g.
CVE-2005-3210 through CVE-2005-3235).

I think this kind of happened with MS-DOS device names a number of years
ago, when it used to cause a blue screen.  Various products had to put in
defenses/workarounds to protect themselves against what was basically an
OS bug.

> Ditto, but the obvious problem is isolating exactly what is causing it and
> making it well known. This will help prevent subsequent reports and
> copycat vuln disclosures.

One can hope ;-) although it's a rather interesting example of how
apparently cosmetic design choices can have major side effects.

- Steve


More information about the VIM mailing list