| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <45FEF48B43DF4FD795B15197018B855E@W340> Date: Mon, 5 Oct 2015 14:16:57 +0200 From: "Stefan Kanthak" <stefan.kanthak@...go.de> To: <research@...nerability-lab.com>, <gynvael@...dwind.pl> Cc: fulldisclosure@...lists.org Subject: Re: [FD] WinRAR SFX v5.21 - Remote Code Execution Vulnerability "Gynvael Coldwind" <gynvael@...dwind.pl> wrote: > Correct me if I'm wrong, but the vulnerability can be summarized as: if you > run an untrusted .exe you might execute malicious code? Amen! > I hardly see this as giving anything new to the attacker who can just > create a malicious exe file, set the winrar sfx icon and send it to the > victim. That's why giving unsuspecting users *.EXE to install a software package or to unpack an archive and thus training them to run almost anything they get their hands on is a BLOODY STUPID idea in the first place. ALWAYS use the platforms native package or archive formats to distribute your software or files! > Keep in mind that not every unexpected behavior or software bug is a > security vulnerability. > > (and no, potential AV bypass doesn't make it a vulnerability either) Right again. stay tuned Stefan _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists