[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: assignments for malware

On Mon, 2018-08-13 at 14:44 -0500, jericho wrote:
> On Mon, 13 Aug 2018, Kurt Seifried wrote:
> : Depending on how the names are parsed and how the namespace is 
> managed (or
> : not) it can actually be attacked in some cases, through automated
> : dependancy resolvers. And again, if there's malicious code being
> : distributed and used is there some specific reason we don't want to 
> tell
> : people about it, and would rather ignore it? 
> The quick answer is 'yes', volume alone. Trying to track any site 
> distributing malware would be extensive to say the least.

Good point.  I would add that things installed through deception are 
more the domain of
social engineering than software engineering.  If automated dependancy 
resolvers can be
made to install such things, then I'd say the vulnerability resides in 
the resolvers, and
I don't care about each of the large number of things that could 
potentially be installed.

We sure want people to know about security issues that are relevant to 
them.  However, I'd
say malware instances are out of scope of the CVE, whereas flaws that 
allow malware
installation are in scope.  The malware isn't the flaw.


Page Last Updated or Reviewed: August 14, 2018