[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CONTENT DECISION: Presence of Services or Applications (SA)

Hash: SHA1

I agree with these comments as well!  Unless there is an actual
vulnerability related to one of these services, don't see them as
being CVE material just by running.  This becomes a "best practice" or
company policy decision rather than a vulnerability.

- -mike

- -----Original Message-----
From: Aleph One [mailto:aleph1@UNDERGROUND.ORG]
Sent: Tuesday, August 03, 1999 11:28 PM
To: spaf@CS.PURDUE.EDU; Steven M. Christey
Cc: cve-editorial-board-list@lists.mitre.org
Subject: Re: CONTENT DECISION: Presence of Services or Applications

On Tue, Aug 03, 1999 at 08:52:05PM -0500, Gene Spafford wrote:
> I really do not like the idea behind this category.   We might as
> well include most MS-based protocols, and most TCP services.   The
> fact that a service is present and has a history of being a point of
> entry on some systems is not a vulnerability.    That's like saying
> that the presence of computers tends to enable hacking -- take away
> the computers, and you no longer have break-ins!

Hear, hear!

> --spaf

- --
Aleph One / aleph1@underground.org
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01

Version: PGP 6.0.2


Page Last Updated or Reviewed: May 22, 2007