Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 7 Jan 2012 18:01:46 -0500
From: Xi Wang <>
Subject: Malicious devices & vulnerabilties


In general driver code trusts hardware devices and often doesn't
validate the data they respond with.  But how about USB devices
that an attacker could plug into a victim's computer?  For example,
an attacker may craft a USB device with a long product name to cause
a buffer overflow (CVE-2011-0712).!/mwrlabs/status/44814759396249600

Here is another possible bug in the USB audio format parser I tried
to report upstream.

I am wondering where to draw the line.  Should such device drivers
be considered vulnerable or not?  Thanks.

- xi

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.