<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16414" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=605322914-02042007>>><FONT face="Times New Roman" color=#000000
size=3>"Heap spraying" is filling the heap with controllable data... This is
simply allocating things in the heap. NOT running code.<BR><FONT face=Arial
color=#0000ff size=2>>></FONT>You are trying to say that once you jump
into that code via some exploit (NOT part of the heap spraying technique itself)
THEN you are "running code in the heap". </FONT><BR></SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=605322914-02042007>What's the point of spraying the heap if you're not
going to jump into it?</DIV></SPAN></FONT>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV align=left>
<DIV align=left><FONT size=2>Larry Seltzer<BR>eWEEK.com Security Center
Editor<BR></FONT><A
title="blocked::http://security.eweek.com/ http://security.eweek.com/"
href="blocked::http://security.eweek.com/"><FONT
title=blocked::http://security.eweek.com/
size=2>http://security.eweek.com/</FONT></A><BR><FONT face=Arial size=2><A
title=http://blog.eweek.com/blogs/larry_seltzer/
href="http://blog.eweek.com/blogs/larry_seltzer/">http://blog.eweek.com/blogs/larry%5Fseltzer/</A></FONT><A
title=http://blog.ziffdavis.com/seltzer
href="http://blog.ziffdavis.com/seltzer"><FONT
title=http://blog.ziffdavis.com/seltzer size=2></FONT></A></DIV>
<DIV align=left><SPAN class=288233402-13072005><FONT size=2>Contributing Editor,
PC Magazine</FONT></SPAN><BR><FONT size=2>larryseltzer@ziffdavis.com
</FONT></DIV></DIV></BODY></HTML>