[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CONTENT DECISION: Presence of Services or Applications (SA)

On Wed, Aug 04, 1999 at 02:55:52PM -0500, Prosser, Mike wrote:
> I agree with these comments as well!  Unless there is an actual
> vulnerability related to one of these services, don't see them as
> being CVE material just by running.  This becomes a "best practice" or
> company policy decision rather than a vulnerability.

I belive this what the words you are looking for is vulnerability vs
risk. A service running is a risk. Not a vulnerability.

>
> -mike
>
> -----Original Message-----
> From: Aleph One [mailto:aleph1@UNDERGROUND.ORG]
> Sent: Tuesday, August 03, 1999 11:28 PM
> To: spaf@CS.PURDUE.EDU; Steven M. Christey
> Cc: cve-editorial-board-list@lists.mitre.org
> Subject: Re: CONTENT DECISION: Presence of Services or Applications
> (SA)
>
>
> On Tue, Aug 03, 1999 at 08:52:05PM -0500, Gene Spafford wrote:
> > I really do not like the idea behind this category.   We might as
> > well include most MS-based protocols, and most TCP services.   The
> > fact that a service is present and has a history of being a point of
> > entry on some systems is not a vulnerability.    That's like saying
> > that the presence of computers tends to enable hacking -- take away
> > the computers, and you no longer have break-ins!
>
> Hear, hear!
>
> >
> > --spaf
> >
>
> --
> Aleph One / aleph1@underground.org
> http://underground.org/
> KeyID 1024/948FD6B5
> Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01
>
>

--
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01
Page Last Updated or Reviewed: May 22, 2007