> -----Original Message----- > From: http-equiv@excite.com [mailto:1@malware.com] > Sent: Friday, February 20, 2004 1:37 PM > To: bugtraq@securityfocus.com > Subject: Re: is predicatable file location a vuln? (was RE: > Aol Instant Messenger/Microsoft Internet Explorer remote code > execution) > > > > <!-- > > > Being able to store arbitrary content in a predictable file > >location is a vulnerability category of its own > > An interesting category, for sure. I think this point deserves > discussion. Is the use of predictable file locations really a > vulnerability? > > --> > > If it isn't it should be. I'll give you four that have been put > on the back-burner for later realization (make a note that this > will be fair warning to the vendor): If the predictable path involves server or client access, then it is definitely a security bug. It may be moderate or low risk depending on the potentiality of abuse and perhaps other factors. But, as a security bug it should be higher risk then high risk, non-security issues. With Internet Explorer or Outlook or Winamp and so on... These kinds of client applications have shown that these issues tend more towards being moderate security issues of the "configuration error" type. Anyway, not to be dogmatic, but I do believe this is reasonable. If Microsoft is not fixing these issues because they do not consider them security issues nor even bugs then they are obviously negligent and grossly so. <snip> > > The vendor in all cases, just cannot be bothered to fix any of > these things. Simply does not care. It seems that the new mantra > is "none of our customer's are affected by it" so let's not fix > it. > > WATCH OUT ! > > All these will culminate in yet another STENCH ! exploit sooner > or later. > > That is a true predicatable path. > > > End Call > > > -- > http://www.malware.com > > > > >
