[Asterisk-Users] Broadvoice asterisk patch

Michael Giagnocavo mgg-digium at atrevido.net
Wed Nov 10 15:16:56 MST 2004


>I don't see a security issue with his method.
>
>If you (a) read the entire patch and (b) comprehend fully everything that 
>it does, then there's nothing to worry about.  Fear comes from the unknown,

>and if you know everything in the patch, there's nothing to fear.

I'll agree if you fully comprehend the code, but few people do. Even
experienced developers can easily overlook something here or there.

So assuming that people will "comprehend fully" is making the claim that no
one will ever look over a maliciously coded buffer overflow.

Most users do not know how to read code while checking for maliciously
inserted holes. There's enough accidental holes in all sorts of software
that proves this.

On top of it, it teaches and encourages customers and users to just trust
email attachments. It tells users "hey, next time you get an email, go ahead
an install it".

Finally, this could be exploited right now. Code up a malicious patch, and
email it to someone who has not received an official patch. Or to another
email account of a real customer. Now they've heard "oh, it's a legit
patch", and go install it. Bad.

-Michael





More information about the asterisk-users mailing list