Slashdot Mirror

← Back to Domains

Domain: mitre.org

Stories and comments across the archive that link to mitre.org.

Comments · 407

  1. Re:Interesting vulnerabilites on the site by ameyer17 · · Score: 1 · on Auction Site To Sell Security Vulnerabilities
    hmm... the memory "leak" seems to be an information leak from fthe friendly vulnerability:

    This PoC will demonstrate the Linux kernel CVE-2007-1000 vulnerability and will search for patterns inside memory.
    from a description of CVE-2007-1000 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2007-1000

    The ipv6_getsockopt_sticky function in net/ipv6/ipv6_sockglue.c in the Linux kernel before 2.6.20.2 allows local users to read arbitrary kernel memory via certain getsockopt calls that trigger a NULL dereference.
    Certainly seems (locally) exploitable to me.
  2. Re:sendmail vs postfix by rattis · · Score: 3, Informative · on Linux System Administration

    The argument they used in the book, page 22, is "...Sendmail has many of the security problems listed on the Common Vulnerabilities and Exposures (CVE) list hosted at http://cve.mitre.org./"

    I did a quick search on the site. Sendmail has 69 listed, while Postfix has 10. I'm not saying the book is right, I'm just saying how they made the argument.

  3. Remote DoS by Anonymous Coward · · Score: 0 · on Apple Issues Patches For 25 Security Holes

    There's no mention of CVE-2007-1841, a remote DoS against the IPsec daemon racoon.

  4. When crashes become vulnerabilities by Anonymous Coward · · Score: 0 · on Word 2007 Flaws Are Features, Not Bugs
    Looking back a Microsoft's trackrecord, there are several examples of how seemingly denial of service conditions (application crashes) have been escalated to exploitable vulnerabilities.

    For example, CVE-2006-3648 and Exploiting the Otherwise Non-exploitable on Windows details how MS exeption handling in Internet Explorer can be exploited. Why should I have faith that the effects of this crash are not exploitable as well.

    Additionally, just because something was initially reported as a crash, does not mean researchers won't find a way to later exploit it. Again, visiting the MS IE browser: Javascript window() issue in IE was publicly reported as a DoS in May 2005 and was ignored, until being reported as exploitable in November 2005. Why could not the same thing happen here?

    Oh, I get it, Mr. LeBlanc at MS wants to tout his SafeInt class... well, being Office is closed source, vulnerability researchers cannot really examine this "security feature". I guess this offers MS a safety net to claim that these "features" are "3... meant it to blow up, and [are] clearly not exploitable", while protecting themselves from the vulnerability community finding exploitable flaws in the SafeInt code.

  5. When crashes become vulnerabilities by Anonymous Coward · · Score: 0 · on Word 2007 Flaws Are Features, Not Bugs
    Looking back a Microsoft's trackrecord, there are several examples of how seemingly denial of service conditions (application crashes) have been escalated to exploitable vulnerabilities.

    For example, CVE-2006-3648 and Exploiting the Otherwise Non-exploitable on Windows details how MS exeption handling in Internet Explorer can be exploited. Why should I have faith that the effects of this crash are not exploitable as well.

    Additionally, just because something was initially reported as a crash, does not mean researchers won't find a way to later exploit it. Again, visiting the MS IE browser: Javascript window() issue in IE was publicly reported as a DoS in May 2005 and was ignored, until being reported as exploitable in November 2005. Why could not the same thing happen here?

    Oh, I get it, Mr. LeBlanc at MS wants to tout his SafeInt class... well, being Office is closed source, vulnerability researchers cannot really examine this "security feature". I guess this offers MS a safety net to claim that these "features" are "3... meant it to blow up, and [are] clearly not exploitable", while protecting themselves from the vulnerability community finding exploitable flaws in the SafeInt code.

  6. First reported December 2006 by QuietLagoon · · Score: 4, Informative · on Critical Security Hole in Linux Wi-Fi

    Here is a reference to a more informative report.

  7. Re:Advisory Timeline by Raenex · · Score: 1 · on Remote Exploit Discovered for OpenBSD
    An outsiders opinion: I've heard that OpenBSD takes security seriously. Then I see this story and I'm shocked. There's no excuse for labelling a remote denial of service as anything but a security issue.

    You can argue with their system of classification, but if you're actually administering an openbsd box, are you skipping the reliability patches because you like unreliable, but secure servers? I hope not... Well, yes, I might. There's a difference betweeen a bug that a user might run across and screw himself over and an exploit that any random script kiddie can use to take down your machine. The first is a reliability issue, the second is a security issue. Yes, there is a distinction between taking down a machine and being able to run arbitrary code on it, and if that is OpenBSD's concern they should come up with categories under security that reflect that fact.

    I find the OpenBSD position appalling. I've gone from respect and considering them as an OS to use, to wanting nothing to do with them.

    These are my "common sense" opinions. CVE agrees with them. Honestly, I have no axe to grind, I'm not a Linux or whatever advocate, etc. It just seems so obvious that OpenBSD has betrayed the very principles they stand upon.
  8. Re:WHOA WTF by raddan · · Score: 1 · on Remote Exploit Discovered for OpenBSD

    Last remote root vulnerability for Linux. Note that, like the OpenBSD advisory, there are currently no known exploits. The OpenBSD bug was found by OpenBSD's own developers.

  9. Re:and... by cnettel · · Score: 1 · on Apple Closes iSight Security Hole

    Reservation: I didn't read TFA, I've no idea about CVE numbers, but the CVE number for this issue was first listed as "reserved" over a month ago. Not two months after it was found, but still six weeks or so.

  10. Re:You really don't know what you're talking about by grimwell · · Score: 1 · on BitTorrent Partners with TV and Movie Companies
    And as soon as someone cracks the PGP client app then PGP is useless to.

    The thing is, it's much easier said than done.

    Don't be naive.


    Huh?

    The PGP client app is just a program that does some math. The math is public key encryption. "Cracking" a PGP client app doesn't invalidate the underlaying math but could comprimse the security of those using the cracked app. Attacking an app doesn't always mean you're attacking the math. For example the Buffer overflow in PGP Outlook Encryption Plug-In

  11. DIY! by also-rr · · Score: 3, Interesting · on Tibet's Mesh

    If you want to set up a mesh network in your own neighbourhood then you can take a look at a free, open source mesh network software package from Mitre corp. I used to use it in a past life to build networks that were adequate for VOIP with some tuning (and a lot of broadcast voodoo), and the ability to route traffic via more than one end node is fantastic. Set up a base station in every home with an 802.11g backhaul (and decent antennas) to provide the basic mesh, terminate in one or two houses with a fast cable/DSL connection and bang, instant multihomed network for everyone worth pi geek points.

  12. Buffer overflow, not just macros by Anonymous Coward · · Score: 1, Interesting · on OpenOffice.org Security 'Insufficient'

    Read this: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=op enoffice

    Note that 2.0.3 fixes (at least) 3 flaws, one of which involves a buffer overflow that happens when you open any kind of openoffice document: http://www.ngssoftware.com/advisories/high-risk-vu lnerability-in-the-openoffice-suite/

    Now, this doesn't mean OpenOffice security is bad, or that it's good, it just means that OpenOffice is subject to exactly the same kinds of security issues that happen whenever a complex app parses a complex data format. To pretend that it's somehow magically immune to this class of problem because of open source pixie dust is utter rubbish. Read the code.

  13. CVE-2006-2198 by tetromino · · Score: 4, Informative · on OpenOffice.org Security 'Insufficient'

    I think that the flaw they are talking about is CVE-2006-2198, which was fixed in OOo-2.0.3. It was pretty nasty, executes arbitray macro without alerting or prompting the user. However, given that the mistake was already found and fixed, what else does the French Ministry of Defence have to complain about?

  14. Operations Research by djdead · · Score: 1 · on What Jobs are Available for Math Majors?

    The field of Ops Research (OR) started in WWII to find shipping routes that minimized encounters with U-boats. While it is typically considered a more applied field, it relies heavily on theoretical mathematics for its basis and many of the good OR companies employ a lot of theoretical math phd's. some companies to check out:
    SPA: http://www.spa.com/
    ILOG: http://www.ilog.com/
    Metron: http://www.metsci.com/
    DA: http://www.decisive-analytics.com/
    MITRE: http://www.mitre.org/
    LMI: http://www.lmi.org/

    There are plenty of others. these are just a few off the top of my head.

  15. MITRE by Anonymous Coward · · Score: 1, Informative · on Industrial Labs that Still Do Fundamental Research

    http://www.mitre.org

    MITRE is a blast. Ideal for research types and applied geeks alike. From nano-tech to the DARPA grand challenge, MITRE has something for every college-educated nerd.

    Pay is good. Pressure is light, if any. Funding is near limitless. The work environment is modern, well-equipped, and relatively spacious compared to most similar orgs.

    MITRE has been one of Fortune's "100 Best Companies To Work For" 5 years in a row (ranked 66 this year) and one of IDG / Computerworld's "Best Places to Work in IT" for 2 years (ranked 8 this year). Check out the Fortune writeup HERE.

    The biggest challenge you will face at MITRE is getting hired. Apparently, there were only 191 NEW jobs + 250 or so job openings due to voluntary turnover... and nearly 25,000 applicants. Yikes.

  16. MITRE by Anonymous Coward · · Score: 1, Informative · on Industrial Labs that Still Do Fundamental Research

    http://www.mitre.org

    MITRE is a blast. Ideal for research types and applied geeks alike. From nano-tech to the DARPA grand challenge, MITRE has something for every college-educated nerd.

    Pay is good. Pressure is light, if any. Funding is near limitless. The work environment is modern, well-equipped, and relatively spacious compared to most similar orgs.

    MITRE has been one of Fortune's "100 Best Companies To Work For" 5 years in a row (ranked 66 this year) and one of IDG / Computerworld's "Best Places to Work in IT" for 2 years (ranked 8 this year). Check out the Fortune writeup HERE.

    The biggest challenge you will face at MITRE is getting hired. Apparently, there were only 191 NEW jobs + 250 or so job openings due to voluntary turnover... and nearly 25,000 applicants. Yikes.

  17. MITRE by Anonymous Coward · · Score: 1, Informative · on Industrial Labs that Still Do Fundamental Research

    http://www.mitre.org

    MITRE is a blast. Ideal for research types and applied geeks alike. From nano-tech to the DARPA grand challenge, MITRE has something for every college-educated nerd.

    Pay is good. Pressure is light, if any. Funding is near limitless. The work environment is modern, well-equipped, and relatively spacious compared to most similar orgs.

    MITRE has been one of Fortune's "100 Best Companies To Work For" 5 years in a row (ranked 66 this year) and one of IDG / Computerworld's "Best Places to Work in IT" for 2 years (ranked 8 this year). Check out the Fortune writeup HERE.

    The biggest challenge you will face at MITRE is getting hired. Apparently, there were only 191 NEW jobs + 250 or so job openings due to voluntary turnover... and nearly 25,000 applicants. Yikes.

  18. MITRE by Anonymous Coward · · Score: 1, Informative · on Industrial Labs that Still Do Fundamental Research

    http://www.mitre.org

    MITRE is a blast. Ideal for research types and applied geeks alike. From nano-tech to the DARPA grand challenge, MITRE has something for every college-educated nerd.

    Pay is good. Pressure is light, if any. Funding is near limitless. The work environment is modern, well-equipped, and relatively spacious compared to most similar orgs.

    MITRE has been one of Fortune's "100 Best Companies To Work For" 5 years in a row (ranked 66 this year) and one of IDG / Computerworld's "Best Places to Work in IT" for 2 years (ranked 8 this year). Check out the Fortune writeup HERE.

    The biggest challenge you will face at MITRE is getting hired. Apparently, there were only 191 NEW jobs + 250 or so job openings due to voluntary turnover... and nearly 25,000 applicants. Yikes.

  19. PowerPoint vulnerability FAQ document released by jjMick · · Score: 1 · on PowerPoint ZeroDay Vulnerability Exploited

    There is related Frequently Asked Questions document published too, it was mentioned at CVE entry http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2006-3590 of this PowerPoint vulnerability:
    http://blogs.securiteam.com/?p=508

  20. Re:Keys need protection as well by Bishop · · Score: 2, Interesting · on Debian Locks Out Developers

    CVE-2006-1173 is vulnerability in Sendmail. Debian uses Exim by default. Why would CVE-2006-1173 cause you to ditch debian?

  21. Watch out for CVE-2006-2193 by cortana · · Score: 3, Insightful · on Google Earth v4 Released - Linux Support at Last
    $ strings ~/Apps/google-earth/libtiff.so.3 | grep Version
    LIBTIFF, Version 3.7.3

    From CVE-2006-2193:
    Buffer overflow in the t2p_write_pdf_string function in tiff2pdf in libtiff 3.8.2 and earlier allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a TIFF file with a DocumentName tag that contains UTF-8 characters, which triggers the overflow when a character is sign extended to an integer that produces more digits than expected in an sprintf call.
    While I doubt Google Earth will be calling this function, this goes to show the danger that users place themselves in when they run software that takes it upon itself to bundle together the libraries that it depends on.
  22. Re:Question by jschottm · · Score: 1 · on MS Word Zero-Day Exploit Found

    Here's the debian.org listserv postmortum. They subsequently discovered an error in do_brk(), which is described in eweek and has the CVE of CVE-2003-0961. Slashdot discussion here.

  23. Re:No link to actual advisory in summary or articl by pneumatus · · Score: 3, Informative · on Sendmail Hit by Data Interception Flaw

    Further info of this security advisory available on CVE-2006-0058 and from Security Focus

  24. Flaw seems unexploited by rg3 · · Score: 5, Informative · on Sendmail Hit by Data Interception Flaw

    As everyone who follows the Slackware changelog, new packages were available yesterday. It seems there is still no exploit for this flaw, and it's somehow hard to exploit. That's the impression I got from the changelog entry. I'll paste it here:

    n/sendmail-8.13.6-i486-1.tgz: Upgraded to sendmail-8.13.6.
                  This new version of sendmail contains a fix for a security problem
                  discovered by Mark Dowd of ISS X-Force. From sendmail's advisory:
                  Sendmail was notified by security researchers at ISS that, under some
                  specific timing conditions, this vulnerability may permit a specifically
                  crafted attack to take over the sendmail MTA process, allowing remote
                  attackers to execute commands and run arbitrary programs on the system
                  running the MTA, affecting email delivery, or tampering with other
                  programs and data on this system. Sendmail is not aware of any public
                  exploit code for this vulnerability. This connection-oriented
                  vulnerability does not occur in the normal course of sending and
                  receiving email. It is only triggered when specific conditions are
                  created through SMTP connection layer commands.
                  Sendmail's complete advisory may be found here:
                  http://www.sendmail.com/company/advisory/index.sht ml
                  The CVE entry for this issue may be found here:
                  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2006-0058
                  (* Security fix *)

  25. Re:Try them out by Anonymous Coward · · Score: 0 · on A Searchable Virus Database?

    I agree with you, and have had issues with this as well.

    You can look *SOME* of them up under the CME numbers (http://cme.mitre.org/), and you can try the vendor sites, including Kaspersky labs (http://viruslist.com./

    To answer your question: NO! there is no comprehensive list.

    BTW: Don't try to create one it'll be an exercise in futility!

  26. Re:Stallman slipping? by jandrese · · Score: 3, Interesting · on RMS says Creative Commons Unacceptable

    Stallman came out to speak at MITRE a couple of years back. It was right after the paper MITRE published that basically said "yeah, you can use open source software on government probjects, the risks are managable and the cost savings can be great".

    So he's in a room with a bunch of mostly older computer engineers in the goverment sector. The first part of his speech goes alright, but then he starts driving off into crazytown. By the end of the speech, he's put on a robe and halo(!!!) and is talking about everyone embracing his ideals. Mind you, this is to a bunch of men mostly wearing suits in a corporate setting. I've never felt so embarrassed to be an open source advocate.

    I really appreciate what RMS is trying to do, especially since from his prospective the world is going crazy with the proliferation of DRM technologies and restrictions on what you can and can't do with stuff you own, but nobody is going to take him seriously if he tries to compare himself with Jesus. RMS is his own worst enemy.

  27. CME is one name for every malware. by Futurepower(R) · · Score: 1 · on Blackworm Dud Highlights Virus Naming Mess

    Common Malware Enumeration (CME) explanation.

    CME List, which has numbers above 900.

    --
    Before, Saddam got Iraq oil profits and paid part to kill Iraqis. Now a few Americans get Iraq oil profits, and American citizens pay to kill Iraqis. Improvement?

  28. CME is one name for every malware. by Futurepower(R) · · Score: 1 · on Blackworm Dud Highlights Virus Naming Mess

    Common Malware Enumeration (CME) explanation.

    CME List, which has numbers above 900.

    --
    Before, Saddam got Iraq oil profits and paid part to kill Iraqis. Now a few Americans get Iraq oil profits, and American citizens pay to kill Iraqis. Improvement?

  29. Re:Why not assign every virus an ID number? by Anonymous Coward · · Score: 2, Interesting · on Blackworm Dud Highlights Virus Naming Mess

    Interestingly enough, they did. Replace the V with and M, and you get Common Malware Enumeration.

    And, just like CVE, no one uses it. Go US Department of Homeland Security!

  30. Re:Why not assign every virus an ID number? by phraktyl · · Score: 1 · on Blackworm Dud Highlights Virus Naming Mess

    Use something like the CVE, or Common Vulnerabilities and Exposures list over at Mitre.

  31. Re:Why not assign every virus an ID number? by phraktyl · · Score: 1 · on Blackworm Dud Highlights Virus Naming Mess

    Use something like the CVE, or Common Vulnerabilities and Exposures list over at Mitre.

  32. Re:Ah, Windows by Thundersnatch · · Score: 1 · on WMF Exploit Sold Underground for $4,000

    Umm... how about these file format bugs, which could be exploited just by opening/viewing files on Linux or OSX?

    PNG ZIP GIF

    File parsing vulnerabilites are certainly as prevalent on Linux and OSX as Windows. It seems that most worm writers don't bother attacking these, though, as Linux and OSX combined make up a very small percentage of client workstations.

  33. Re:Ah, Windows by Thundersnatch · · Score: 1 · on WMF Exploit Sold Underground for $4,000

    Umm... how about these file format bugs, which could be exploited just by opening/viewing files on Linux or OSX?

    PNG ZIP GIF

    File parsing vulnerabilites are certainly as prevalent on Linux and OSX as Windows. It seems that most worm writers don't bother attacking these, though, as Linux and OSX combined make up a very small percentage of client workstations.

  34. Re:Ah, Windows by Thundersnatch · · Score: 1 · on WMF Exploit Sold Underground for $4,000

    Umm... how about these file format bugs, which could be exploited just by opening/viewing files on Linux or OSX?

    PNG ZIP GIF

    File parsing vulnerabilites are certainly as prevalent on Linux and OSX as Windows. It seems that most worm writers don't bother attacking these, though, as Linux and OSX combined make up a very small percentage of client workstations.

  35. CME-24 aliases, information, and removal tools by Futurepower(R) · · Score: 5, Informative · on Kama Sutra Worm Could Make For A Bad Friday

    Here's how to know the difference between a money-making press release, and an honest story: The press release says "Fear, fear, fear!!!"

    The honest story gives you links to tools for eliminating the threat: You can run this tool: W32.Blackmal@mm Removal Tool, which apparently removes all variants of the worm.

    Here are manual instructions: WORM_GREW.A, Also known as: CME-24

    Here is the list of names of the CME-24 worm, and links to removal methods: CME-24 aliases, information, and removal tools.

  36. Many Aliases and More Info by eldavojohn · · Score: 5, Informative · on Kama Sutra Worm Could Make For A Bad Friday

    For references, these are the enumeration names and where to go to make sure you have the latest anti-virus signature. Remember, this variant will uninstall and delete most anti-virus software so it's important to recognize it before it goes active tomorrow. Most virus definition software refers to it as CME-24. This is important since this worm has many different names including Nyxem.E, BlackWorm, Grew and Mywife.E.

    More on the worm and its permutations and statistics on spreading.

    A very detailed analysis with all types of files that may be affected.

    And, if it's worth anything to you, the Microsoft advisory which seems to tout that Windows Live Safety Center Beta can protect against it. If you're in charge of computer security at your workplace, I would send out an e-mail instructing everyone to verify that they have the correct anti-virus definitions and to scan their computers before leaving tonight. Luckily, that's not my job where I work.

  37. Trial/free anti-virus that remove Win32/MyWife by Aryeh+Goretsky · · Score: 5, Informative · on Microsoft Won't Offer Patch Before Worm Strikes?

    Hello,

    A bit of searching came up with the following free or trial versions of anti-virus programs which are capable of detecting and removing Win32/MyWife (née CME-24):

    Alwil - Avast! 4 Home Edition (free for personal non-commercial use)
    ESET - NOD32 trial version (30-day evaluation)
    Grisoft - AVG Free Edition (free for personal non-commercial use)
    Kaspersky Lab - Anti-Virus Personal 5.0 (30-day evaluation)
    McAfee - VirusScan (30-day evaluation)
    Microsoft - Windows Malicious Software Removal Tool (KB890830) (free)
    Panda - Titanium Antivirus 2006 (30-day evaluation)
    Sophos - Anti-Virus (30-day evaluation)
    Symantec - W32.Blackmal@mm Removal Tool (free)
    Trend Micro - PC-cillin Trial Version (30-day evaluation)

    I'm certain other readers will look up and post links to additional vendors, too. Ob-disclaimer: I happen to work for one of the companies listed above, so there.

    Regards,

    Aryeh Goretsky

  38. Trial/free anti-virus that remove Win32/MyWife by Aryeh+Goretsky · · Score: 5, Informative · on Microsoft Won't Offer Patch Before Worm Strikes?

    Hello,

    A bit of searching came up with the following free or trial versions of anti-virus programs which are capable of detecting and removing Win32/MyWife (née CME-24):

    Alwil - Avast! 4 Home Edition (free for personal non-commercial use)
    ESET - NOD32 trial version (30-day evaluation)
    Grisoft - AVG Free Edition (free for personal non-commercial use)
    Kaspersky Lab - Anti-Virus Personal 5.0 (30-day evaluation)
    McAfee - VirusScan (30-day evaluation)
    Microsoft - Windows Malicious Software Removal Tool (KB890830) (free)
    Panda - Titanium Antivirus 2006 (30-day evaluation)
    Sophos - Anti-Virus (30-day evaluation)
    Symantec - W32.Blackmal@mm Removal Tool (free)
    Trend Micro - PC-cillin Trial Version (30-day evaluation)

    I'm certain other readers will look up and post links to additional vendors, too. Ob-disclaimer: I happen to work for one of the companies listed above, so there.

    Regards,

    Aryeh Goretsky

  39. Re:Apple has even addresed that to some extent by BandwidthHog · · Score: 1 · on Mac users 'too smug' Over Security?

    But really, what modern viruses actually delete user data?

    This one. Granted, it wasn’t out there when you posted that, but as of this morning there have been 700,000 confirmed sightings.

  40. Re:This is why I use Windows by Anonymous Coward · · Score: 0 · on KDE Heap Overflow Vulnerability Found

    Almost immediatly eh? So then what's up with the entry in the CVE stating it was "assigned 20051220" -- nearly a month ago?

    ...and yes, I'm almost positive that's supposed to be a date. Besides the fact that other entries have the same datelike format, one can also see that bugs such as Microsoft's WMF Vunerability from December 28th 2005 have matching assigned values (20051228 in this case).

    On an aside, I REALLY need to get myself a slashdot account and stop posting anonmyously!

  41. Re:This is why I use Windows by Anonymous Coward · · Score: 0 · on KDE Heap Overflow Vulnerability Found

    Almost immediatly eh? So then what's up with the entry in the CVE stating it was "assigned 20051220" -- nearly a month ago?

    ...and yes, I'm almost positive that's supposed to be a date. Besides the fact that other entries have the same datelike format, one can also see that bugs such as Microsoft's WMF Vunerability from December 28th 2005 have matching assigned values (20051228 in this case).

    On an aside, I REALLY need to get myself a slashdot account and stop posting anonmyously!

  42. Re:I find such lack of security... by lumbercartel.ca · · Score: 1 · on First Windows Vista Security Update Released

    > ... http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2005-3257 Date? 2005-10-17
    > ... http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2005-2490 (and 2492, both with sendmsg) Date? 2005-09-09
    > ... http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2005-1768 Date? 2005-07-11 ...

    Oh well, once every month or two isn't as bad as weekly. Hopefully people will be just as forgiving of this Linux track record that you provided as they are of Microsoft's track record with the security holes in Windows.

    Swiss cheese and wine, anyone?

  43. Re:I find such lack of security... by lumbercartel.ca · · Score: 1 · on First Windows Vista Security Update Released

    > ... http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2005-3257 Date? 2005-10-17
    > ... http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2005-2490 (and 2492, both with sendmsg) Date? 2005-09-09
    > ... http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2005-1768 Date? 2005-07-11 ...

    Oh well, once every month or two isn't as bad as weekly. Hopefully people will be just as forgiving of this Linux track record that you provided as they are of Microsoft's track record with the security holes in Windows.

    Swiss cheese and wine, anyone?

  44. Re:I find such lack of security... by lumbercartel.ca · · Score: 1 · on First Windows Vista Security Update Released

    > ... http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2005-3257 Date? 2005-10-17
    > ... http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2005-2490 (and 2492, both with sendmsg) Date? 2005-09-09
    > ... http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2005-1768 Date? 2005-07-11 ...

    Oh well, once every month or two isn't as bad as weekly. Hopefully people will be just as forgiving of this Linux track record that you provided as they are of Microsoft's track record with the security holes in Windows.

    Swiss cheese and wine, anyone?

  45. Re:I find such lack of security... by fimbulvetr · · Score: 3, Informative · on First Windows Vista Security Update Released

    Say what???
    Just about weekly? I beg to differ. Last local root exploit:

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2005-3257 Date? 2005-10-17

    The one before:

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2005-2490 (and 2492, both with sendmsg) Date? 2005-09-09

    How about the one before?

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2005-1768 Date? 2005-07-11

    Perhaps you'd like to backup your claim?

    Dozens? No. Several? Yes. Dozen? About that. How many would M$ products have if as many eyes analyzed it relentlessly? A metric assload. Take the partial 2k source code for an example.

  46. Re:I find such lack of security... by fimbulvetr · · Score: 3, Informative · on First Windows Vista Security Update Released

    Say what???
    Just about weekly? I beg to differ. Last local root exploit:

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2005-3257 Date? 2005-10-17

    The one before:

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2005-2490 (and 2492, both with sendmsg) Date? 2005-09-09

    How about the one before?

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2005-1768 Date? 2005-07-11

    Perhaps you'd like to backup your claim?

    Dozens? No. Several? Yes. Dozen? About that. How many would M$ products have if as many eyes analyzed it relentlessly? A metric assload. Take the partial 2k source code for an example.

  47. Re:I find such lack of security... by fimbulvetr · · Score: 3, Informative · on First Windows Vista Security Update Released

    Say what???
    Just about weekly? I beg to differ. Last local root exploit:

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2005-3257 Date? 2005-10-17

    The one before:

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2005-2490 (and 2492, both with sendmsg) Date? 2005-09-09

    How about the one before?

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2005-1768 Date? 2005-07-11

    Perhaps you'd like to backup your claim?

    Dozens? No. Several? Yes. Dozen? About that. How many would M$ products have if as many eyes analyzed it relentlessly? A metric assload. Take the partial 2k source code for an example.

  48. Re:I would not be suprised at all. by znx · · Score: 1 · on WMF Vulnerability is an Intentional Backdoor?

    Yeah seen it on bugtraq recently, here's the url's

    13-Jan-2006 07:12
    From: Sune Kloppenborg Jeppesen
    http://www.gentoo.org/security/en/glsa/glsa-200601 -09.xml
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2006-0106

  49. Dangerous colour? (was: Re:block wmf) by fritsd · · Score: 1 · on Businesses Urged To Use Unofficial Windows Patch

    Well, I don't use MS Windows so I don't know much about it, but I seem to remember reading something strange about an exploitable *colour* on MS Windows systems: http://secunia.com/advisories/16004, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2005-1219

  50. CVE link by diegocgteleline.es · · Score: 1 · on Zero-Day IE Exploit Takes Control of PCs

    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2005-1790

    "Phase: Assigned (20050601)"

    IE hackers too busy trying to play catch up with firefox to fix non-critical bugs, maybe?

    The good thing of all this is that since Microsoft only releases security patches on thursday - you know, "admins want predictability" and all that shit that some companies use and that lots of shitty admins believe - so you have a full week as minimum to exploit this on your web pages. Enjoy, IE users!