Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: [VulnWatch] Sun passwd(1) Command Vulnerability
From: "Steven M. Christey" <coley () mitre org>
Date: Sun, 7 Mar 2004 18:08:54 -0500 (EST)

"Jay D. Dyson" <jdyson () bugtraq org> said:

I often find the grammar used in security advisories and briefs to be
confusing, and I'm forced to wonder if the wording is deliberate.
Historically, when security companies have made claims that they could
not verify, they have been dealt with in a very public, and very
humilitating fashion, so I rather suspect that meticulous care is put
in the phrasing without making any brash unverified statements, that
could cause such embarassment to said company.

In the case of CVE, sometimes we have chosen to "soften" our
descriptions and use phrases such as "may do X" or "possibly has Y
impact" because:

  1) Exploitability is not always easily or immediately proven - at
     least not publicly, anyway.

  2) Vulnerability details are not always known, so one would need to
     put in the effort to figure out the vulnerability before crafting
     the exploit.

  3) Few (if any?) have the resources to prove exploitability/etc. for
     all of the 50+ vulnerabilities that are reported per week.

This seems to be a trend in vulnerability reporting.  In general, I
think it's a good one, i.e. being more open about how much or little
is known at any particular time.  The motives could be more due to
correctness/accuracy than trying to avoid embarrassment.

And if you're a software vendor or maintainer, why spend a large
number of hours trying to prove exploitability?  One could just patch
the bug, post an alert, and move on to other more pressing matters.

- Steve

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]