Joachim Schrod wrote:
... Let me propose another hilarious 5-step process:
1. Read the LWN.net security page.
OK, so I did.
2. Detect how many exploits are based on data files, and not on executables. just last week: ...
Not a single exploit listed. Many vulnerabilities, almost all qualified as "user-assisted" or "local.
3. Stop feeling so smug.
I know of no one who's "feeling smug" -- except maybe you?
4. Follow other exploit publications, security pages, and security mailing lists; detect how many privledge escalation exploits are out there. Understand that they can be triggered by remote exploits from step 2.
I do, frequently, and in every case, it's the same -- zero exploits, many vulnerabilities, almost all qualified as "user-assisted". All with solutions or planned solutions. And all found by professionals doing good work -- not by bad guys looking to do harm. Contrast that with the Microsoft situation.
5. Start feeling numb when you read all the dumb posts in this thread that focus on executable programs that the user must run (because this is the prominent attack vector on Windows).
Actually, I can only feel irritated at the one hysteria-monger who can't see the difference between good work finding and characterizing vulnerabilities and poor work reacting to exploits of vulnerabilities swept under the rug. John Perry -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org