Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Beginners error: Hewlett-Packards driver software executes rogue binary C:\Program.exe

From: Reindl Harald <h.reindl () thelounge net>
Date: Wed, 21 May 2014 20:21:06 +0200


Am 21.05.2014 20:12, schrieb Michal Zalewski:

the existence of "C:\Program.exe" must not have any bad affect
for any random installer not intending to execute this


Sounds like a good goal. The installer probably also shouldn't play
obscene messages via PC speaker. If it did, it would be undesirable
and probably considered a bug

Now, in practical terms... in absence of a plausible risk / attack
vector, it doesn't sound like much of a security issue (unless you
adopt the approach advocated on the predecessor of this list by Mr.
Lemonias)


and *that* attitude is the root cause for all the software crap around

* anobody knows that unverified input is bad
* anybody knows that unescaped input is bad

so why the fuck discuss in the way "show me the attack vector"
instead a) learn from the existing bad code to write better and
just accept that *it is* a security relevant bug

90 out of 100 security flaws in the past years where from the
category "hy should i bother about this and that, it is unlikely"

Attachment: signature.asc
Description: OpenPGP digital signature


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: