Thomas Kristensen Quotations

Vendors can take months to create patches, and sometimes users grumble about that, ... But the alternative is to have patches that can be circumvented or aren't appropriate for the vulnerability. It's a difficult balance.

Since printers are connected to the network, they can be vulnerable. Attackers might use a printer connection to get to other parts of a system, and sometimes it's very easy to get into a company that way.

Only a few companies, including the open source vendor Red Hat, handles vulnerabilities in an equally responsible way.

It certainly is a serious threat, but given the amount of information available from Cisco you would think there would only be an extremely limited number of vulnerable systems. Most people should have patches in place before there are any exploits.

I think Steve has got some good points on why comparing vulnerability numbers is difficult.

While the bug in itself could look like a back door, I find it highly unlikely that it actually is a deliberately placed back door.

Users should be less concerned if the application they're using is from a Linux distributor, because they have patches available. But with third-party vendors, users might not know about the problem until they read about it.

Three of the vulnerabilities can launch malicious code that allows an attacker to snoop on users. The other vulnerability is a DOS attack that will only work in a few cases and crash the media player when it tries to open a file.

We aren't aware of any systems that have been compromised yet, but it's likely to happen since there's exploit code out.

We don't have an 'extremely critical' ranking very often. We use the rating sparingly so people will know when the danger is very serious.

Why bother writing a virus for Linux and Mac when you can get so many other users by writing one for Windows? This is especially true because, for a virus to become serious, it has to find other vulnerable systems, and with Macs, that would be a very limited spread.

Someone who's able to intercept the message as it's transmitted could inject some data, and then the person who verifies the signature would be told it's a valid, unaltered message.

Apple has done much better at dealing with issues in the past couple years than it did before.

This is big problem because a very large number of corporations use Lotus Notes. When users receive an e-mail with an attachment, all they have to do is click on the attachment to read it, and their systems are vulnerable to a remote attack.

IPv6 is still in very early stages of deployment, so it's natural to see issues coming up and getting fixed. The same kind of vulnerability came up in IPv4.

I don't think many software vendors would be willing to run the risk of deliberately placing a back door in their software. The benefits compared to the huge risk of disclosure simply aren't worth it.

Because of all the barriers, it just seems like virus writers won't bother unless they see Macs as some kind of new frontier. Even then, few won't want to put in that kind of time and effort.

An attacker could use the exploit to run any code they want to on a person's system. It could be they want to launch some really nasty code on a user's system.