<<< Date Index >>>     <<< Thread Index >>>

RE: Re: is predicatable file location a vuln? (was RE: Aol Instant Messenger/Microsoft Internet Explorer remote code execution)



 

> -----Original Message-----
> From: http-equiv@xxxxxxxxxx [mailto:1@xxxxxxxxxxx] 
> Sent: Friday, February 20, 2004 1:37 PM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: Re: is predicatable file location a vuln? (was RE: 
> Aol Instant Messenger/Microsoft Internet Explorer remote code 
> execution)
> 
> 
> 
> <!--  
> 
> > Being able to store arbitrary content in a predictable file 
> >location is  a vulnerability category of its own
> 
> An interesting category, for sure.  I think this point deserves 
> discussion.  Is the use of  predictable file locations really a 
> vulnerability?
> 
>  -->
> 
> If it isn't it should be. I'll give you four that have been put 
> on the back-burner for later realization (make a note that this 
> will be fair warning to the vendor):

If the predictable path involves server or client access, then it is
definitely a security bug. It may be moderate or low risk depending on
the potentiality of abuse and perhaps other factors. But, as a security
bug it should be higher risk then high risk, non-security issues.

With Internet Explorer or Outlook or Winamp and so on... These kinds of
client applications have shown that these issues tend more towards being
moderate security issues of the "configuration error" type.

Anyway, not to be dogmatic, but I do believe this is reasonable. 

If Microsoft is not fixing these issues because they do not consider
them security issues nor even bugs then they are obviously negligent and
grossly so. 



<snip>
> 
> The vendor in all cases, just cannot be bothered to fix any of 
> these things. Simply does not care. It seems that the new mantra 
> is "none of our customer's are affected by it" so let's not fix 
> it.
> 
> WATCH OUT !
> 
> All these will culminate in yet another STENCH ! exploit sooner 
> or later.
> 
> That is a true predicatable path.
> 
> 
> End Call
> 
> 
> -- 
> http://www.malware.com
> 
> 
> 
> 
>