Dailydave mailing list archives
Re: Vuln scoring system anyone?
From: security curmudgeon <jericho () attrition org>
Date: Tue, 1 Mar 2005 15:35:17 -0500 (EST)
: Hmm. I guess my point here is that vendors are very bad places to get : your vulnerability information. When we release a WINS overflow, and it : works, that means there's 100% chance of an exploitable vulnerability. : Microsoft won't acknowledge that until they have a patch, which games : the system a bit. When Cisco releases an advisory on BGP saying it's a : DoS, that's misleading. Etc. Real did the same in the past. Flagged remote overflows as 'DoS' when it was already proven by the researcher to be much worse. This also brings up another thing the Vulnerability Databases have thought about, and has been discussed on Full-Disclosure recently. How do you classify vulnerabilities triggered by malformed media files. Think of a malformed PDF or mp3 that triggers an overflow in Adobe or Winamp. Is that a remote overflow? The classic definition of remote vs local just doesn't work for this. If you say remote, what if you find the mp3 in /tmp on your local unix system and play it? If you say local, what if the file is embedded in a web page? _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Vuln scoring system anyone?, (continued)
- Re: Vuln scoring system anyone? Dave Aitel (Mar 01)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? Dave Aitel (Mar 01)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Brian (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Blue Boar (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Brian (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Oliv (Mar 02)
- Re: Vuln scoring system anyone? Tom Parker (Mar 02)
- Re: Vuln scoring system anyone? Jason (Mar 02)
- Re: Vuln scoring system anyone? Kurt Seifried (Mar 02)
- RE: Vuln scoring system anyone? Ben Nagy (Mar 03)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Frank Knobbe (Mar 01)
- Re: Vuln scoring system anyone? Blue Boar (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)