Re: Linux Privilege Escalation exploits

[Tim <tim-security () sentinelchicken org>]

> destruction and so on. People need to decide for themselved how
> critical it is. My 2krone.

Exactly.  Generic severity ratings are pointless.  Even if they were
standardized, they would be of very little value since risk is highly
dependent on an organizations deployment of the vulnerable software
described.  Those releasing the ratings know nothing about how it is
deployed, what is at risk by the deployment, and how far an attacker
would have to go to obtain access to the vulnerable software.  

Often these ratings act against the recommendations of security
administrators, because if management sees a "Low" or "Medium" severity,
they don't regard it as something to act on quickly when it should be,
or they'll burn resources on something rated "High" even though it may
not impact the specific deployment in a severe way.

It is better to provide concise, complete, and accurate information
about vectors of attack and the potential results of those attacks to
allow people to make their own decisions.

tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/