[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200403072308.i27N8sSZ025213@linus.mitre.org>
From: coley at mitre.org (Steven M. Christey)
Subject: Re: [VulnWatch] Sun passwd(1) Command Vulnerability
"Jay D. Dyson" <jdyson@...traq.org> said:
>I often find the grammar used in security advisories and briefs to be
>confusing, and I'm forced to wonder if the wording is deliberate.
>Historically, when security companies have made claims that they could
>not verify, they have been dealt with in a very public, and very
>humilitating fashion, so I rather suspect that meticulous care is put
>in the phrasing without making any brash unverified statements, that
>could cause such embarassment to said company.
In the case of CVE, sometimes we have chosen to "soften" our
descriptions and use phrases such as "may do X" or "possibly has Y
impact" because:
1) Exploitability is not always easily or immediately proven - at
least not publicly, anyway.
2) Vulnerability details are not always known, so one would need to
put in the effort to figure out the vulnerability before crafting
the exploit.
3) Few (if any?) have the resources to prove exploitability/etc. for
all of the 50+ vulnerabilities that are reported per week.
This seems to be a trend in vulnerability reporting. In general, I
think it's a good one, i.e. being more open about how much or little
is known at any particular time. The motives could be more due to
correctness/accuracy than trying to avoid embarrassment.
And if you're a software vendor or maintainer, why spend a large
number of hours trying to prove exploitability? One could just patch
the bug, post an alert, and move on to other more pressing matters.
- Steve
Powered by blists - more mailing lists