Joachim Schrod wrote: > ... > Let me propose another hilarious 5-step process: > > 1. Read the LWN.net security page. >
OK, so I did. > 2. Detect how many exploits are based on data files, and not > on executables. just last week: ... > Not a single exploit listed. Many vulnerabilities, almost all qualified as "user-assisted" or "local. > 3. Stop feeling so smug. > I know of no one who's "feeling smug" -- except maybe you? > 4. Follow other exploit publications, security pages, and security > mailing lists; detect how many privledge escalation exploits > are out there. Understand that they can be triggered by remote > exploits from step 2. > I do, frequently, and in every case, it's the same -- zero exploits, many vulnerabilities, almost all qualified as "user-assisted". All with solutions or planned solutions. And all found by professionals doing good work -- not by bad guys looking to do harm. Contrast that with the Microsoft situation. > 5. Start feeling numb when you read all the dumb posts in this > thread that focus on executable programs that the user must > run (because this is the prominent attack vector on Windows). > Actually, I can only feel irritated at the one hysteria-monger who can't see the difference between good work finding and characterizing vulnerabilities and poor work reacting to exploits of vulnerabilities swept under the rug. John Perry -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
