Someone just notified me off-list that I am confusing the two vulnerabilities listed on the page. Both were first notified in October, but the vendor has only declined to address the less serious of the two. For the overflow, they were notified on October, and (he claims) given an exploit in December. I don't know why the delay. Apologies for the confusion on my part. It doesn't make any difference from a moderation point of view.. I would have put the message through even if I did comprehend it correctly the first time. BB Blue Boar wrote: > > Krish Ahya wrote: > > > > Why would you release an exploit for this hole if currently there are no > > security patches for it? Do you know how many people run mIRC? Most of which > > know nothing about even how they got online! My prediction is that several > > machines are going to get compromised due to this. > > Did you read the page he referenced, where he indicates that he > contacted the vendor in October, and they declined to make any changes? > http://www.uuuppz.com/research/adv-001-mirc.htm > > BB
This archive was generated by hypermail 2b30 : Sun Feb 03 2002 - 14:32:49 PST