From: Don S. <do...@se...> - 2004-01-28 01:48:15
|
On Tue, Jan 27, 2004 at 03:05:21PM -0800, AthlonRob wrote: > Please don't top-post, it just plain sucks... My email etiquette is the least of my worries. Thanks for caring though. > Are these issues really so terribly serious we should all be patching > our gaims? If you're running gaim as root, then you really almost > deserve anything you get. If you're running it as a user, any damage > done will be not so huge. I agree about the root thing, but saying that damage "will not be so huge" is like saying that cutting off your pinky doesn't matter because the damage will not be so huge. You'll still probably have total functionality of your hand, but I'm sure you'd rather not go through the process of cutting off your pinky and recovering from it. > And that is all assuming somebody is able to utilize these security > holes and execute code remotely. More likely is they would be able to > potentially crash gaim. Gaim crashes frequently enough all by itself, > who is going to care if somebody remotely crashes it? Yes it is assuming and the security focus group has proof of concept code to do it. I don't experience that many gaim crashes, maybe 2 or 3 a week. Just because gaim crashes for me now means I shouldn't care that now someone else can crash it on demand? > As I read the report, it was a lot of "potentially" and "maybe" issues.= =20 > With no actual example of the code being utilized to do damage to > anybody, I really don't see how you can justify calling the issues a > 'serious security flaw' ... can you? Yes I can. The fact that someone can do anything uninvited and unwelcome on my machine is a serious security flaw. Are you a Windows user that you somehow think remote exploits are just a fact of life that we should learn to live with? > Serious security flaws in the past include the Apache hole that had that > worm spreading around two years ago, Outlook Express automatically > executing code embedded in an email, Internet Explorer automatically > executing malicious code on websites, or the whole Windows/MSBlaster > hole. >=20 > I think we will all survive this 'serious security flaw'. I'm not speaking in relative terms. Just because gaim isn't spreading the Melissa virus around doesn't mean we shouldn't worry about it. As I said before, the fact that someone with enough motivation can do something that I don't want them to on my machine is a _serious_ security flaw. Keep telling yourself otherwise if it makes you feel more comfortable. Don. --=20 "The senator [John McCain] has got to understand if he's going to have---he can't have it both ways. He can't take the high horse and then claim the l= ow road." George W. Bush February 17, 2000 =46rom campaign speech in Florence, South Carolina. |