Am 21.05.2014 20:12, schrieb Michal Zalewski: >> the existence of "C:\Program.exe" must not have any bad affect >> for any random installer not intending to execute this > > Sounds like a good goal. The installer probably also shouldn't play > obscene messages via PC speaker. If it did, it would be undesirable > and probably considered a bug > > Now, in practical terms... in absence of a plausible risk / attack > vector, it doesn't sound like much of a security issue (unless you > adopt the approach advocated on the predecessor of this list by Mr. > Lemonias)
and *that* attitude is the root cause for all the software crap around * anobody knows that unverified input is bad * anybody knows that unescaped input is bad so why the fuck discuss in the way "show me the attack vector" instead a) learn from the existing bad code to write better and just accept that *it is* a security relevant bug 90 out of 100 security flaws in the past years where from the category "hy should i bother about this and that, it is unlikely"
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
