|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: assignments for malware
- To: jericho <jericho@attrition.org>
- Subject: Re: assignments for malware
- From: Kurt Seifried <kurt@seifried.org>
- Date: Mon, 13 Aug 2018 13:36:45 -0600
- Authentication-results: spf=softfail (sender IP is 198.49.146.235) smtp.mailfrom=seifried.org; imc.mitre.org; dkim=pass (signature was verified) header.d=seifried-org.20150623.gappssmtp.com;imc.mitre.org; dmarc=none action=none header.from=seifried.org;
- Cc: CVE Editorial Board <cve-editorial-board-list@mitre.org>
- Delivery-date: Mon Aug 13 15:54:22 2018
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seifried-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=8Dq6Mf+eGXdMYVxnyOzc1NUDafPi6VHfm/owCOEN9Ws=; b=VP8bOoF9Bvz4X8MMnqLCifR5NMELEP25hQ5ZLipck96inwr7HIjkwdRcCpTaqQM6F/ RPV23CTElFgVDomS3HuAbC/vzI4jtf37DmM2caj4EGlA/GnLYNIhJ3lyaHBktkIw7Wcn jUvmDY5SsPTQfvO2Z4W1A9+4B2e532PYT8HF3bWmjdgEM4wdHtmd5RxVGSRX3jZzjZD4 i7sMi+8M4WBqpzqWsYHrptGluGJ6hdDxGFD5uln5O3r/qNzrkXp6wxlej09qhocBu6ke zPE+w8jisFFS/Hn4vtLKZPq6eUkeOb9319k4Fq82TE5i6p9b6Qc78BmNFKY9JYYwXR+7 DicA==
- In-reply-to: <alpine.LNX.2.20.1808131431070.14361@forced.attrition.org>
- References: <alpine.LNX.2.20.1808131148090.14361@forced.attrition.org> <CABqVa38yfbG7dSZ3Fz=VVCaSFoCSUGma7vUF7ramQHqw6N3UiQ@mail.gmail.com> <alpine.LNX.2.20.1808131431070.14361@forced.attrition.org>
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
Depending on how the names are parsed and how the namespace is managed (or not) it can actually be attacked in some cases, through automated dependancy resolvers. And again, if there's malicious code being distributed and used is there some specific reason we don't want to tell people about it, and would rather ignore it? I think reducing the scope of coverage of CVE doesn't make much sense, especially in the modern world with how agile-hyper-dev-sec-ops-scrum (I don't know what the terms are anynmore so just making a single large one) is actually using a lot of this stuff in ways that ignore pretty much everything except for CVEs when it comes to problems.
On Mon, Aug 13, 2018 at 1:31 PM, jericho <jericho@attrition.org> wrote:
On Mon, 13 Aug 2018, Kurt Seifried wrote:
: A backdoor is a vulnerability. I think the problem is CVE in past dealt
: with "oops we make a mistake" and not "oops, a malicious actor did it on
: purpose".
:
: Doesn't matter to the end user, well actually it does, backdoors are
: worse because someone for sure knows about the vulnerability and most
: likely intended to use it. So do these things need CVEs, tracking and
: remediation for people affected by it? Yes.
:
: I'm trying to imagine a scenario where a software or service user goes
: "oh, this exploitable flaw is a backdoor, thus no CVE, thus we don't
: need to remediate it" and uhh.. I can't imagine that, not even close.
Granted. But a malicious module that has a similar name as another isn't a
backdoor.
Kurt Seifried
kurt@seifried.org
kurt@seifried.org
- Follow-Ups:
- Re: assignments for malware
- From: jericho <jericho@attrition.org>
- Re: assignments for malware
- References:
- assignments for malware
- From: jericho <jericho@attrition.org>
- Re: assignments for malware
- From: Kurt Seifried <kurt@seifried.org>
- Re: assignments for malware
- From: jericho <jericho@attrition.org>
- assignments for malware
- Prev by Date: Re: assignments for malware
- Next by Date: Re: assignments for malware
- Previous by thread: Re: assignments for malware
- Next by thread: Re: assignments for malware
- Index(es):