[VIM] DLL hell: 2010

Steven M. Christey coley at linus.mitre.org
Fri Aug 27 13:47:48 CDT 2010

On Fri, 27 Aug 2010, security curmudgeon wrote:

> I was telling Carsten last night that I expect a big wave of them, that
> we had only seen the tip of the iceberg. However, I am really surprised
> that F-D hasn't been flooded with them yet and suggests that maybe it
> won't be as big as we realize. Perhaps even those who favor low hanging
> fruit think it is too low?

That hasn't stopped XSS finders in the past, or the RFI grep-and-gripers.

I'm not overly surprised at the false positives.

> Also ran into another where the vendor was told "your product is 
> vulnerable to this". The vendor realized that an older version of the 
> product was (technically), the current product was not, and that the old 
> version was only vulnerable because it used QT which is vulnerable.

This is the one that will be the most problematic from a CVE standpoint: 
ideally, we would only assign one CVE for QT, but many researchers are 
unlikely to do that kind of diagnosis.  Like the researchers who reported 
XSS in error messages that gave clear evidence of RFI/LFI.

> I believe that we will keep seeing these, but perhaps not as fast as I
> thought.

Unless one individual picks up the cause.

- Steve

More information about the VIM mailing list