Date: Mon, 7 Aug 2000 18:47:02 -0700 From: Elias Levy <aleph1@SECURITYFOCUS.COM> Subject: Re: Brown Orifice To: BUGTRAQ-PRESS@SECURITYFOCUS.COM One member of the press pointed to me an article by the Associated Press on this vulnerability. You can read it at http://www.mercurycenter.com/svtech/news/breaking/ap/docs/283815l.htm Sadly, the article starts off with the wrong foot by claiming almost 1,000 computers have been already infected. This is a false statement. The author either simply wrote something that was told to him by a member of the security industry, or he visited the Brown Orifice site which has list of how many people have downloaded the applet and assumed these people are running the applet without their knowledge. The people that visited the Brown Orifice site, downloaded the applet and executed it did so with their full knowledge. They did so to test the vulnerability. They are not victims. They are not "infected". This term, "infected", in it of itself show a lack of understanding of the vulnerability. The vulnerability can only be used to read files. It cannot be used to execute programs or write to files. Thus its not possible for a virus or worm to use this vulnerability to propagate itself and "infect" computers. The article states "Rouland said Brown Orifice is especially dangerous because it's easy to modify, and can be changed into a self-copying virus form -- as opposed to the current infection method, where a victim visits a Web site that includes the malicious code." That statement shows a complete lack of understand about the problem. The vulnerability cannot be used by a virus to infect machines. Please fact check your stories. Double check any statements made by people in the computer security industry. Including those from us, SecurityFocus.com. This industry likes to exaggerate the danger of vulnerabilities. Nothing sells products like fear. -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum