[VIM] DLL hell: 2010

security curmudgeon jericho at attrition.org
Fri Aug 27 13:57:13 CDT 2010


: > I was telling Carsten last night that I expect a big wave of them, that
: > we had only seen the tip of the iceberg. However, I am really surprised
: > that F-D hasn't been flooded with them yet and suggests that maybe it
: > won't be as big as we realize. Perhaps even those who favor low hanging
: > fruit think it is too low?
: 
: That hasn't stopped XSS finders in the past, or the RFI grep-and-gripers.

No, but that turned into a steady volume that VDBs came to handle.

: > Also ran into another where the vendor was told "your product is vulnerable
: > to this". The vendor realized that an older version of the product was
: > (technically), the current product was not, and that the old version was
: > only vulnerable because it used QT which is vulnerable.
: 
: This is the one that will be the most problematic from a CVE standpoint: 
: ideally, we would only assign one CVE for QT, but many researchers are 
: unlikely to do that kind of diagnosis.  Like the researchers who 
: reported XSS in error messages that gave clear evidence of RFI/LFI.

That is the fallout I am looking forward to. We've seen dozens of reports, 
but only a couple vendor responses. How many turn out to be more 
complicated..



More information about the VIM mailing list