Yonatan Zunger (zunger) wrote,
Yonatan Zunger
zunger

What the fuck...?

From a CERT advisory I received today (CA-2003-22, "Multiple vulnerabilities in Microsoft Internet Explorer"):

VU#548964 - Microsoft Windows BR549.DLL ActiveX control contains
vulnerability

The Microsoft Windows BR549.DLL ActiveX control, which provides
support for the Windows Reporting Tool, contains an unknown
vulnerability. The impact of this vulnerability is not known.

Could someone please explain to me what the hell this sort of report is supposed to mean? I mean, was this vulnerability discovered by consulting the Delphic oracles? Or has CERT decided that, in the present legal climate, they can only inform the world of critical bugs by means of gnomic utterances and vague allusions?

I can just see now where this is heading... two years from now, I'll be getting this --

VU#xxxxxx - Software is all perfectly fine!

There has been a rumor that a certain piece of software has
a minute imperfection. Please do not listen to this at all, nudge
nudge, wink wink. There is no impact to this at all, and you should
not be in any way worried that it could allow an attacker to execute
arbitrary code on ***** systems with the privileges of the root user.
Have a nice day!
  • Post a new comment

    Error

    switch
    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    Help
  • 5 comments

hansandersen

August 26 2003, 16:18:46 UTC 12 years ago

Chill. Less FUD, more google searching.

http://www.windows-help.net/windows98/ie50-18.shtml

hansandersen

August 26 2003, 16:21:16 UTC 12 years ago

err, never mind - at first glance, I thought you were worried about the presence of a "Microsoft Reporting Tool", instead of the unreasonable vague nature of the report.

Carry on.

jephly

August 26 2003, 17:34:29 UTC 12 years ago

CERT is simply trying to construct a new language for discussing security issues, modeled around the C language paradigm.

This, for example, is just an uninitialized vulnerability. The syntax for vulnerabilities is as follows:

1 Vulnerability foo;
2 foo = new Vulnerability();
3 foo.exploit(ROOT);

Between step 1 and 2, the vulnerability foo is uninitialized, thus it's impact is unknown.

zunger

August 26 2003, 18:00:26 UTC 12 years ago

Perhaps they need to use stricter compiler flags, to keep them from issuing uninitialized vulnerabilities?

Forward thinking

efng

August 26 2003, 22:45:43 UTC 12 years ago

These are truly visionary people. I like that they know about an unknown vulnerability, perhaps they are laying the groundwork for reporting vulnerabilities in quantum computers.

Or maybe it is MUCH simpler then that. Perhaps they plan to start a new service "Ms Alert-A-Day" in which they pick a random Microsoft file and tell you that there is a vulnerability in said file. This way they no longer have to really look for problems in Windows thus saving countless hours for work which the DoD funds therefore saving us, the U.S. taxpayer, money!

Either way these people should be recognized for their unique perspective on security alerts. All hail C.E.R.T.!