[VIM] Vendor dispute for Animated Smiley Generator RFI (CVE-2006-6541)
Gadi Evron
ge at linuxbox.org
Thu Feb 22 03:20:48 EST 2007
On Thu, 22 Feb 2007, Steven M. Christey wrote:
>
> On Wed, 21 Feb 2007, security curmudgeon wrote:
>
> > Curious how this came to be. Did someone add a vulnerability to a copy
> > before sharing it and letting it circulate in the warez circles?
>
> I'm pretty sure this wasn't the first, nor the last, case of a
> vulnerability in a Trojaned warez product that wasn't in the legitimate
> product (assuming the vendor dispute is correct). Maybe some of our
> disputes are actually assumintg legitimate distributions.
>
> I don't think CVE should be tracking malicious modifications from
> unofficial channels. Now, if a product is trojaned at its legitimate
> distribution point, that's of concern to consumers and gets a CVE. But
> modified warez falls under the malware category, for me anyway. Would
> OSVDB be interested in cataloging vulnerabilities in malware? They're
> technically vulnerabilities from the malware's point of view, after all
> ;-)
>
> Gadi - any insights into warez backdoors? I know I've run into one or two
> PHP warez sites out there.
Yes, people are already compromised if they get to that point. Usually
though there will be other binaries in the directory and use of file
infectors would be made. In most other cases the download would be a fake
and actually a malware.
Of more effect are vulnerabilities in spyware..
>
> - Steve
>
More information about the VIM
mailing list