[cryptography] Interesting note on how MS assign vulnerability classifications

Peter Gutmann pgut001 at cs.auckland.ac.nz
Fri Sep 7 18:54:37 EDT 2012


>From Raymond Chen's blog, 
http://blogs.msdn.com/b/oldnewthing/archive/2012/09/06/10346743.aspx:

  Since heap corruption can in principle lead to anything, any bug that
  results in heap corruption automatically gets a default classification of
  Arbitrary Code Execution, and if the heap corruption can be triggered via
  the network, it gets an automatic default classification of Remote Code
  Execution (RCE). Even if the likelihood of transforming the heap corruption
  into remote code execution is exceedingly low, you still have to classify it
  as RCE until you can rule out all possibility of code execution. 

Peter.



More information about the cryptography mailing list