lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <200403072308.i27N8sSZ025213@linus.mitre.org>
From: coley at mitre.org (Steven M. Christey)
Subject: Re: [VulnWatch] Sun passwd(1) Command Vulnerability

"Jay D. Dyson" <jdyson@...traq.org> said:

>I often find the grammar used in security advisories and briefs to be
>confusing, and I'm forced to wonder if the wording is deliberate.
>Historically, when security companies have made claims that they could
>not verify, they have been dealt with in a very public, and very
>humilitating fashion, so I rather suspect that meticulous care is put
>in the phrasing without making any brash unverified statements, that
>could cause such embarassment to said company.

In the case of CVE, sometimes we have chosen to "soften" our
descriptions and use phrases such as "may do X" or "possibly has Y
impact" because:

  1) Exploitability is not always easily or immediately proven - at
     least not publicly, anyway.

  2) Vulnerability details are not always known, so one would need to
     put in the effort to figure out the vulnerability before crafting
     the exploit.

  3) Few (if any?) have the resources to prove exploitability/etc. for
     all of the 50+ vulnerabilities that are reported per week.

This seems to be a trend in vulnerability reporting.  In general, I
think it's a good one, i.e. being more open about how much or little
is known at any particular time.  The motives could be more due to
correctness/accuracy than trying to avoid embarrassment.

And if you're a software vendor or maintainer, why spend a large
number of hours trying to prove exploitability?  One could just patch
the bug, post an alert, and move on to other more pressing matters.


- Steve

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ