[VIM] ZDI-13-132 and a CVE?
Henri Salo
henri at nerv.fi
Sat Aug 17 01:25:01 CDT 2013
On Fri, Aug 16, 2013 at 09:37:13AM -0500, ZDI Disclosures wrote:
> Hello,
>
> This was released as a "security in depth" bulletin. As such it does
> not have a CVE assigned.
>
> This is also true of ZDI--13-193 for Microsoft (although they call
> it "defense in depth").
>
> Regards
> The ZDI Team
Details of the issue:
"""
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Oracle Java. User interaction is required to exploit
this vulnerability in that the target must visit a malicious page or open a
malicious file.
The specific flaw exists within the java.security.KeyStore class. The issue lies
in the execution of a user-supplied callback in a privileged context. An
attacker can leverage this vulnerability to execute code under the context of
the current process.
"""
and Oracle page is saying:
"""
A Critical Patch Update is a collection of patches for multiple security
vulnerabilities.
"""
This definitely sounds like it needs a CVE or multiple CVEs. In my opinion
security in depth does not mean it's not a fix for a vulnerability. Other
opinions/comments?
---
Henri Salo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.attrition.org/pipermail/vim/attachments/20130817/4d10805f/attachment.asc>
More information about the VIM
mailing list