[VIM] DLL hell: 2010
jericho at attrition.org
Fri Aug 27 13:57:13 CDT 2010
: > I was telling Carsten last night that I expect a big wave of them, that
: > we had only seen the tip of the iceberg. However, I am really surprised
: > that F-D hasn't been flooded with them yet and suggests that maybe it
: > won't be as big as we realize. Perhaps even those who favor low hanging
: > fruit think it is too low?
: That hasn't stopped XSS finders in the past, or the RFI grep-and-gripers.
No, but that turned into a steady volume that VDBs came to handle.
: > Also ran into another where the vendor was told "your product is vulnerable
: > to this". The vendor realized that an older version of the product was
: > (technically), the current product was not, and that the old version was
: > only vulnerable because it used QT which is vulnerable.
: This is the one that will be the most problematic from a CVE standpoint:
: ideally, we would only assign one CVE for QT, but many researchers are
: unlikely to do that kind of diagnosis. Like the researchers who
: reported XSS in error messages that gave clear evidence of RFI/LFI.
That is the fallout I am looking forward to. We've seen dozens of reports,
but only a couple vendor responses. How many turn out to be more
More information about the VIM