[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: assignments for malware

Depending on how the names are parsed and how the namespace is managed (or not) it can actually be attacked in some cases, through automated dependancy resolvers. And again, if there's malicious code being distributed and used is there some specific reason we don't want to tell people about it, and would rather ignore it? I think reducing the scope of coverage of CVE doesn't make much sense, especially in the modern world with how agile-hyper-dev-sec-ops-scrum (I don't know what the terms are anynmore so just making a single large one) is actually using a lot of this stuff in ways that ignore pretty much everything except for CVEs when it comes to problems. 

On Mon, Aug 13, 2018 at 1:31 PM, jericho <jericho@attrition.org> wrote:

On Mon, 13 Aug 2018, Kurt Seifried wrote:

: A backdoor is a vulnerability. I think the problem is CVE in past dealt
: with "oops we make a mistake" and not "oops, a malicious actor did it on
: purpose".
:
: Doesn't matter to the end user, well actually it does, backdoors are
: worse because someone for sure knows about the vulnerability and most
: likely intended to use it. So do these things need CVEs, tracking and
: remediation for people affected by it? Yes.
:
: I'm trying to imagine a scenario where a software or service user goes
: "oh, this exploitable flaw is a backdoor, thus no CVE, thus we don't
: need to remediate it" and uhh.. I can't imagine that, not even close.


Granted. But a malicious module that has a similar name as another isn't a
backdoor.



--
Kurt Seifried
kurt@seifried.org
Page Last Updated or Reviewed: August 13, 2018