Re: [SECURITY] [DSA 2695-1] chromium-browser security update

[Nick Boyce <nick@glimmer.adsl24.co.uk>]

On Sunday 02 Jun 2013 16:13:43 Michael Gilbert wrote:

> On Sun, Jun 2, 2013 at 9:32 AM, Nick Boyce wrote:
> 
> > On Wednesday 29 May 2013 15:23:54 Michael Gilbert wrote:
> > 
> >> or possibly have unspecified other impact via unknown vectors.
> > 
> > I'm just wondering ... is that Google language for "or possibly allow
> > remote code execution" ?
[...] 
> That is the intentionally vague language of CVE (e.g.
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2837).
[...]
> In terms of chromium, your best bet is simply to wait for the bugs to
> become unembargoed (e.g.
> https://code.google.com/p/chromium/issues/detail?id=235638).

Thanks.  It's just that I tend to expect that by the time a security fix is 
released, those bugs *are* unembargoed, researchers are poring over code diffs, 
and clear descriptions are usually forthcoming cos there's no longer any point 
in being coy.  For instance, by the time a Firefox release is made Mozilla 
states explicitly in the release information whether or not each bug could 
cause rce.  Same thing for Microsoft.

It occurred to me maybe - for whatever reason - Google Corp has devised its 
own vocabulary for these things; sort of like Oracle Corp never calling a 
spade a spade in these matters.  Or the kernel team [ducks quickly] :)

I understand the Mitre people's predicament about the analysis workload though 
.... [gulp].

Cheers,
Nick
-- 
Firefox 3.6? Dude we're on 8.0 now. You're like 3 weeks behind !