[LWN Logo]
[Timeline]
Date:         Mon, 7 Aug 2000 18:47:02 -0700
From: Elias Levy <aleph1@SECURITYFOCUS.COM>
Subject:      Re: Brown Orifice
To: BUGTRAQ-PRESS@SECURITYFOCUS.COM

One member of the press pointed to me an article by the Associated Press
on this vulnerability. You can read it at
http://www.mercurycenter.com/svtech/news/breaking/ap/docs/283815l.htm

Sadly, the article starts off with the wrong foot by claiming almost
1,000 computers have been already infected. This is a false statement.
The author either simply wrote something that was told to him by a
member of the security industry, or he visited the Brown Orifice
site which has list of how many people have downloaded the applet
and assumed these people are running the applet without their knowledge.

The people that visited the Brown Orifice site, downloaded the applet
and executed it did so with their full knowledge. They did so to test
the vulnerability. They are not victims. They are not "infected".

This term, "infected", in it of itself show a lack of understanding
of the vulnerability. The vulnerability can only be used to read files.
It cannot be used to execute programs or write to files. Thus its not
possible for a virus or worm to use this vulnerability to propagate
itself and "infect" computers.

The article states "Rouland said Brown Orifice is especially dangerous
because it's easy to modify, and can be changed into a self-copying virus
form -- as opposed to the current infection method, where a victim visits a
Web site that includes the malicious code."

That statement shows a complete lack of understand about the problem.
The vulnerability cannot be used by a virus to infect machines.

Please fact check your stories. Double check any statements made by
people in the computer security industry. Including those from us,
SecurityFocus.com. This industry likes to exaggerate the danger of
vulnerabilities. Nothing sells products like fear.

--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum