Todd Towles: >>Can anyone else verify Steve Gibson's assertion that this >>flaw was intentionally placed by Microsoft programmers?
It's insecure-by-design, but it's working exactly as written. It's been in there for _15_ years, and ported to every version of Windows. Windows 3.0 supports it. :-/ bkfsec: >The way I read what he's saying there, he's saying that you enter >malformed input and that malformed input pushes the executable code into >position to be executed... There is no need for malformed input, though. The description isn't great, since upon return from the function, Windows will resume parsing the records in the usual way. 8^) p. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
