ImgBurn vulnerability

http://www.h-online.com/security/ne...ImgBurn-disk-burning-application-1163003.html

 

Not to diminish the seriousness of the vulnerability in the application...but where have we seen this before As usual, social engineering and PEBKAC Syndrome are the keys to exploiting the applications flaw.

 

The phrase "don't open untrusted anything" is pretty idiotic if you think about.
Trust is the most tricky problem of all in the whole security business. What's a "trusted file"? What's "untrusted"? How can you determine which is which? Most of all data that comes over the internet is untrusted: You don't know where it's coming from, who created it, who had access to it and could have modified it, you don't know if it's being tampered with while you are accessing it over the wire and so on.
We already established the weakest link is the user, relying on him to make this most difficult decision makes no sense.

The only sensible approach is designing secure software, least privilege, access control, privilege isolation and so on. Random exploit (or backdoor for that matter) in rarely patched 3rd party apps should never result in a full system/user files compromise.

but that's old stuff, preaching to the choir...

 

Fixed --> https://www.wilderssecurity.com/showthread.php?t=290882

 

Pretty easy, actually;

1. Trusted: known, software vendor's site.
2. Untrusted: unknown, alternative site

I tend to go for the first option. Never failed me once in many years of downloading and installing hundreds of files

 

Years ago, I'd agree with you straight away. But, recent history has shown me things aren't as I thought they were: white or black. Unfortunately, there's a grey area.

And, unfortunately, this grey area, for example, includes security vendors websites being compromised. So, when I download something from these security vendors, can I be 100% sure they haven't been compromised once more, and that I'm not downloading adulterated files?

This, then makes wonder if something I'm downloading from a trusted software vendor's site is to be 100% trusted. We do need to make a compromise to what we deem to be trusted, though, right?

Maybe is just a like a web site; what is a trusted and an untrusted one? Long gone are those days.

 

No one needs to agree. It's just the way I perceive it based on past and recent experience Until I experience otherwise, I maintain my view on this.

 

I have gone from one end of the spectrum to the other, over the years. In my latter days though, i have relaxed all of my security & tend to stay away from untrusted sources. I know what my surfing habits are & know when to up the tempo, whether it be a VM or in a sandbox. My computer i run today has no security software running real-time, only the the OSs features, Sysinternals & a decent system resource monitor.

Life in the computing world has never been so easy for me.