| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <537CEE92.2090007@thelounge.net>
Date: Wed, 21 May 2014 20:21:06 +0200
From: Reindl Harald <h.reindl@...lounge.net>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: Re: [FD] Beginners error: Hewlett-Packards driver software executes
rogue binary C:\Program.exe
Am 21.05.2014 20:12, schrieb Michal Zalewski:
>> the existence of "C:\Program.exe" must not have any bad affect
>> for any random installer not intending to execute this
>
> Sounds like a good goal. The installer probably also shouldn't play
> obscene messages via PC speaker. If it did, it would be undesirable
> and probably considered a bug
>
> Now, in practical terms... in absence of a plausible risk / attack
> vector, it doesn't sound like much of a security issue (unless you
> adopt the approach advocated on the predecessor of this list by Mr.
> Lemonias)
and *that* attitude is the root cause for all the software crap around
* anobody knows that unverified input is bad
* anybody knows that unescaped input is bad
so why the fuck discuss in the way "show me the attack vector"
instead a) learn from the existing bad code to write better and
just accept that *it is* a security relevant bug
90 out of 100 security flaws in the past years where from the
category "hy should i bother about this and that, it is unlikely"
Download attachment "signature.asc" of type "application/pgp-signature" (247 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists