lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-id: <4559F8DE.2688.4D8971B9@nick.virus-l.demon.co.uk>
Date: Tue, 14 Nov 2006 17:11:58 +1300
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: [ GLSA 200611-03 ] NVIDIA binary graphics driver: Privilege
 escalation vulnerability

Raphael Marichez to Nick Boyce (??):

> > um ... doesn't that make it a *remote* privilege escalation ?
> 
> in a certain way... you're right... although that requires the user
> complicity, strictly speaking, you're right.

Makes it no less remote.

Not _automatic_ remote, but still very, very much "remote".

> The guy who would manage to remotely root a box with that vulnerability would
> be really good. The real serious risk is local only. (think about all
> that unpatched linux boxes in the universities...)

You have a really odd view of the security exposure...

Even _Microsoft_ (now) self-rates this type of vulnerability as 
critical and remotely exploitable for execution of arbitrary code (e.g. 
the WMF vuln from late last year).  OK -- so we can quibble over 
whether it released patches quickly enough in that case (no), but at 
least even the traditionally considered slackest of security slackers 
gets the rating of the severity and scope of this kind of vuln right.

Any hope of Linux distro folk getting that clued?


Regards,

Nick FitzGerald

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ