[15837] in bugtraq
Re: SANS Flash: Most dangerous flaw found in Windows
daemon@ATHENA.MIT.EDU (CERT Coordination Center)
Tue Jul 18 18:45:27 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <1865037.3172932079@centerfield.blue.cert.org>
Date: Tue, 18 Jul 2000 18:01:19 -0400
Reply-To: CERT Coordination Center <cert@cert.org>
From: CERT Coordination Center <cert@CERT.ORG>
X-To: aleph1@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000718133148.A3812@securityfocus.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --On Tuesday, July 18, 2000 1:31 PM -0700 aleph1@SECURITYFOCUS.COM wrote:
> Its also silly for SANS to call this the "most dangerous flaw found in
> Windows workstations". It this a dangerous flaw? Yes, very much so.
> But there have been flaws in the past that have been worse. For example,
> the MIME buffer overflow in email clients such as Netscape and Outlook.
> Remember for this problem to work you need to have Access installed.
The CERT Coordination Center encourages people not to engage in hyperbole
or exaggeration when disseminating vulnerability information. It only
serves to muddy the water and make the difficult job of prioritization of
security management tasks that much harder.
> I would also caution anyone from using a vulnerability to patch a
> vulnerability. Most vulnerabilities are bugs and do not have well defined
> behavior. As such trying to use is as a mechanism to apply fixes is
> a risky proposition. While certainly an intriguing if well known idea
> it may not perform reliably and you will be left with a false sense of
> security if it fails to fix the problem.
We concur. In addition to the problems you mention, some sites may choose
to live with the risk of being vulnerable in exchange for some desired
functionality. A virus that "fixes" a problem for one site may escape and
have serious negative consequences for another site. We strongly discourage
this type of behavior, no matter how altruistically motivated.
Shawn
Shawn Hernan
svh@cert.org
Vulnerability Handling Team Leader
CERT Coordination Center
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>
iQA/AwUBOXTTilr9kb5qlZHQEQLXHgCg1g0kI3Ep6oAW5aP8rcL4qI3j6EoAoOnz
/gMANxF+95BAW1CPx+mz52PG
=ZnNW
-----END PGP SIGNATURE-----
