lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 20 Feb 2004 12:16:03 -0800
From: "Drew Copley" <dcopley@...e.com>
To: "Stuart Moore" <smoore.bugtraq@...urityglobal.net>,
	<thor@...x.com>, <bugtraq@...urityfocus.com>
Subject: RE: is predicatable file location a vuln? (was RE: Aol Instant Messenger/Microsoft Internet Explorer remote code execution)


 

> -----Original Message-----
> From: Stuart Moore [mailto:smoore.bugtraq@...urityglobal.net] 
> Sent: Thursday, February 19, 2004 10:40 PM
> To: thor@...x.com; bugtraq@...urityfocus.com
> Subject: is predicatable file location a vuln? (was RE: Aol 
> Instant Messenger/Microsoft Internet Explorer remote code execution)
> 

<snip>

> But this could get messy.  What happens when two issues 
> *must* be combined inorder for a 
> security impact to occur?
> 
> My personal opinion differs from yours (and from 
> SecurityFocus's) regarding BID 8900 
> (Flash) and the nullsoft and icq BID issues.  I think they 
> are not vulnerabilities, but 
> instead are a few of many, many leverage points for porous MS 
> IE/OS security boundaries. 
> But maybe you could make an argument that some popular Win 
> apps make little or no use of 
> OS security features and so are at fault.  Or maybe you could 
> say that an application 
> written for an OS that is known to have security boundary 
> issues is negligent in using 
> predictable locations.  Uh oh, I guess I could really start 
> chasing my tail here ...

For simple, good QA practice... you want to have each bug written up
seperately. This may mean they are all moderate or low severity.
Security bugs, however, have a special classification under a good QA
system. A "low severity" security bug is much more important then a
normal "high severity" non-security bug.

As for security classification systems that are pure classifications...
They each can pick and choose as they want, of course. There is no
board. I would think a note added to these low or moderate issues with
proper credit would suffice. (Which is actually securityfocus style).



> 
> Perhaps a good question for the Secure Coding list 
> (secure-coding.org)?
> 
> Stuart
> 
> 
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ