Re: vulnerability overstatement

[Valdis.Kletnieks () vt edu]

On Wed, 20 Jan 2010 16:53:06 EST, Larry Seltzer said:
> On Vista and Win7 the odds that it will execute
> are too remote to bother with. Even on XP, it only works 1 in 3 chances.

Ya know, 1 out of 3 chances is a good way to start on collecting your
share of those 140 million pwned boxes out there.  I bet a good fraction of
them got whacked at much lower odds than 1 out of 3.

> Security firms never tell you that you need to run as administrator to
> be vulnerable to something or that it won't execute reliably or that you
> had to choose to run it manually. They just want you to be afraid.

Somehow, I can't fault security firms for not telling you "you can only get
hit if you do XYZ", if XYZ is something we all know is done *all the frikking
time by actual users*, like running as admin, or clicking on shit you shouldn't.

Yeah, it's sleazy if they fail to reveal the exploit only works if you have on
your disk an MP3 of the Finnish national anthem as sung by a Vietnamese boy's
choir. But "only if you run as admin" and "choose to run it" are hardly in that
category.

Attachment: _bin
Description:

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.