Re: CONTENT DECISION: Presence of Services or Applications (SA)

• To: cve-editorial-board-list@lists.mitre.org
• Subject: Re: CONTENT DECISION: Presence of Services or Applications (SA)
• From: Pascal Meunier <pmeunier@purdue.edu>
• Date: Thu, 5 Aug 1999 22:32:24 -0500
• In-Reply-To: <37A9F630.AD759C35@mitre.org>
• References: <FD38C4FC4464D211A06900A0C9E47AE03D6333@catbert.l-3security.com>
• Sender: owner-cve-editorial-board-list@lists.mitre.org

>Let's say that I am one of your customers. Let's say my
>policy states that finger should not be running on any
>of my boundary machines.  Let's say your scanner determines
>that finger is, in fact, running on one of my boundary machines.
>
>Question:  Has your scanner just identified a vulnerability
>on my system?

No it's not a vulnerability, it's a policy violation, and no I don't admit
that vulnerabilities  can be understood independently of policy.  The
vulnerability is what allowed someone to get finger to run on your system,
because your policy is to not have finger running.  Finger running is just
the result of the attack, the symptom if you will that something else is
amiss in your system.
Pascal

Microsoft Windows is also a way of thinking - or not thinking, to be more
exact.
-- RA Downes  Radsoft Laboratories

• References:
  • RE: CONTENT DECISION: Presence of Services or Applications (SA)
    • From: "Prosser, Mike" <mike.prosser@L-3SECURITY.COM>
  • Re: CONTENT DECISION: Presence of Services or Applications (SA)
    • From: Dave Mann <damann@mitre.org>

• Prev by Date: RE: CONTENT DECISION: Presence of Services or Applications (SA)
• Next by Date: Re: Universal vs. Environmental Policy, and the "vulnerability" term
• Prev by thread: Re: CONTENT DECISION: Presence of Services or Applications (SA)
• Next by thread: RE: CONTENT DECISION: Presence of Services or Applications (SA)
• Index(es):
  • Date
  • Thread