On April 8, 2014 10:21:34 AM Matthew Musingo wrote: > Even if your systems were patched an attacker could have already attained > the secrets. > > Certs and other sensitive information need to be reconsidered for > replacement or changed How realistic is it that an attacker would be able to glean passwords through this vulnerability? Programatically searching through 64k memory dumps for certificates seems plausible, but looking for passwords does not. A password is of no pre-determined length or format. So unless you know what strings are wrapped around it (and those strings are reliably presented), isn't the loss of some types of sensitive information.... unlikely?
Cheers. Craig _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
