Full Disclosure mailing list archives
Re: Linux Privilege Escalation exploits
From: Tim <tim-security () sentinelchicken org>
Date: Sat, 15 Jul 2006 11:19:19 -0400
destruction and so on. People need to decide for themselved how critical it is. My 2krone.
Exactly. Generic severity ratings are pointless. Even if they were standardized, they would be of very little value since risk is highly dependent on an organizations deployment of the vulnerable software described. Those releasing the ratings know nothing about how it is deployed, what is at risk by the deployment, and how far an attacker would have to go to obtain access to the vulnerable software. Often these ratings act against the recommendations of security administrators, because if management sees a "Low" or "Medium" severity, they don't regard it as something to act on quickly when it should be, or they'll burn resources on something rated "High" even though it may not impact the specific deployment in a severe way. It is better to provide concise, complete, and accurate information about vectors of attack and the potential results of those attacks to allow people to make their own decisions. tim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Linux Privilege Escalation exploits David Taylor (Jul 14)
- Re: Linux Privilege Escalation exploits Valdis . Kletnieks (Jul 14)
- Re: Linux Privilege Escalation exploits Knud Erik Højgaard (Jul 15)
- Re: Linux Privilege Escalation exploits Tim (Jul 15)
- Re: Linux Privilege Escalation exploits Christian Swartzbaugh (Jul 18)
- Re: Linux Privilege Escalation exploits Tim (Jul 15)