Got it, thanks! James On 18/07/17 07:28 PM, Sébastien Delafond wrote: > On Jul/18, James Lu wrote: >> I'll admit that my initial guess of the bug's severity was a bit >> rushed. Upon thinking about it more, I do feel that this bug /could/ >> be reliability exploited. I have these thoughts in particular: >> >> 1) I can think of a few ways that a strangely named file with code >> inside it could make its way onto a system: crafted download links, >> maliciously prepared storage (USB sticks, etc.), and archives with >> such a file inside them. In these cases, a bit of social engineering >> could induce a user into browsing to a folder with the file (which is >> a seemingly innocuous action by itself) and triggering the exploit. >> >> 2) However, VBScript is a pretty niche language AFAIK, and there's >> almost no use of it whatsoever outside Windows. Therefore, any >> attempts to exploit this would indicate a substantially targeted >> attack. Originally, this was the only reason why I thought this bug >> would be low impact. >> >> 3) This is my first time actively dealing with a security fix myself, >> so I really don't want to be misjudging the severity of any >> exploit. Trying to imagine the potential impact closely makes me >> paranoid, and at this point I'm fairly uncertain what the right >> severity is. With this info in mind, I humbly request a second opinion >> :) > > I agree it's not extremely difficult to fool someone into visiting a > folder containing the pathologic MSI file, but the fact you need a > working wine setup already in place heavily mitigates the severity. We > therefore still consider this one to be low-severity/no-dsa. > > Cheers, > > --Seb >
Attachment:
signature.asc
Description: OpenPGP digital signature