| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 7 Oct 2015 14:16:48 -0400 From: Shawn McMahon <syberghost@...il.com> To: fulldisclosure@...lists.org Subject: Re: [FD] WinRAR SFX v5.21 - Remote Code Execution Vulnerability On Mon, Oct 5, 2015 at 8:16 AM, Stefan Kanthak <stefan.kanthak@...go.de> wrote: > > That's why giving unsuspecting users *.EXE to install a software package > or to unpack an archive and thus training them to run almost anything > they get their hands on is a BLOODY STUPID idea in the first place. > > ALWAYS use the platforms native package or archive formats to distribute > your software or files! > Perhaps it's my ignorance talking, but I just don't see how: "Run this EXE that might contain bad stuff" is worse than: "Install this .msi as Admin that might contain bad stuff" or "install this RPM as root that might contain bad stuff" or "install this .pkg as root that might contain bad stuff." The vulnerability is installing things when you don't know what they are or where they came from, not the particular form in which they're packaged. If it's got a GUI, clicking on its packages is going to prompt you to escalate privileges and install them. If I'm missing something, drop some knowledge on me and I'll install it. Even if it's not signed. :) _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists