>> I don't think it does. Has anyone made measurements? Text files and
>> graphics don't have to be checked, only executable code.
> I believe there have been several overflows found in image processing
> libraries (jpeg,pdf,tiff...) used by popular browsers and image
> viewers.
> I am also aware of atleast one entirely text based attack on a hole in
> a java runtime engine.
> sidd
Yep. Buffer overruns are the biggest issue with web stuff. Shove more of something than is expected at just the right time and a badly coded something will barf or let it over write some code. And if that code can later be forced to execute then you have a way to stuff your own code into the system and have it execute. I saw a writeup about one of the biggies that his MS servers a few years back and the actual inserted code was maybe 20 or 40 characters. So it doesn't take much. And it doesn't have to be "code" that your browser thinks it is being fed. Text, graphics, code, etc ... are just lables. It's all bits.