funsec mailing list archives
Re: vulnerability overstatement
From: Valdis.Kletnieks () vt edu
Date: Wed, 20 Jan 2010 17:54:42 -0500
On Wed, 20 Jan 2010 16:53:06 EST, Larry Seltzer said:
On Vista and Win7 the odds that it will execute are too remote to bother with. Even on XP, it only works 1 in 3 chances.
Ya know, 1 out of 3 chances is a good way to start on collecting your share of those 140 million pwned boxes out there. I bet a good fraction of them got whacked at much lower odds than 1 out of 3.
Security firms never tell you that you need to run as administrator to be vulnerable to something or that it won't execute reliably or that you had to choose to run it manually. They just want you to be afraid.
Somehow, I can't fault security firms for not telling you "you can only get hit if you do XYZ", if XYZ is something we all know is done *all the frikking time by actual users*, like running as admin, or clicking on shit you shouldn't. Yeah, it's sleazy if they fail to reveal the exploit only works if you have on your disk an MP3 of the Finnish national anthem as sung by a Vietnamese boy's choir. But "only if you run as admin" and "choose to run it" are hardly in that category.
Attachment:
_bin
Description:
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- vulnerability overstatement Larry Seltzer (Jan 20)
- Re: vulnerability overstatement Charles Miller (Jan 20)
- Re: vulnerability overstatement Larry Seltzer (Jan 20)
- Re: vulnerability overstatement Larry Seltzer (Jan 20)
- Re: vulnerability overstatement Larry Seltzer (Jan 20)
- Re: vulnerability overstatement Valdis . Kletnieks (Jan 20)
- Re: vulnerability overstatement Larry Seltzer (Jan 20)
- Re: vulnerability overstatement Paul Ferguson (Jan 20)
- Re: vulnerability overstatement Larry Seltzer (Jan 20)
- Re: vulnerability overstatement Paul Ferguson (Jan 20)
- Re: vulnerability overstatement Larry Seltzer (Jan 20)
- Re: vulnerability overstatement Charles Miller (Jan 20)
- <Possible follow-ups>
- Re: vulnerability overstatement Thomas Raef (Jan 20)
- Re: vulnerability overstatement Juha-Matti Laurio (Jan 21)
- Re: vulnerability overstatement Larry Seltzer (Jan 21)
- Re: vulnerability overstatement Juha-Matti Laurio (Jan 21)