[RndTbl] wireshark warning

Trevor Cordes trevor at tecnopolis.ca
Fri Jan 17 19:38:07 CST 2014


On 2014-01-17 Sean Walberg wrote:
> Your statement is a bit unfair. http://wiki.wireshark.org/Security
> has a good explanation of why there are so many patches. I'd argue
> that "number of updates with the security flag" is a terrible metric
> of security in any product.

I apologize if I came across as harsh against the valuable and excellent
wireshark project.  I personally often use wireshark and in no way am
trying to dissuade anyone from doing the same.

I think I was pretty clear, that I only wanted to remind people to "yum
update" their wireshark on a regular basis, and mentioned the probable
difficulty of doing that on a non-package-managed OS like Windows.

I also made it clear that my only metric of "insecurity" in that email
was the raw CVE count.  I never claimed that it was a "good" or "best"
metric. However, it is often the only metric we have for FOSS, and
certainly the one most visible and readily available.

I will add, however, that in my viewpoint, CVEs that are remotely
exploitable without authentication (most wireshark CVEs fit that bill)
are the most pernicious, and dangerous, and do deserve heightened
scrutiny.

The fact that a (not very) out-of-date wireshark listening on (and
displaying results from) an internet connection can be pwned simply by
an attacker (or bots) sending malicious packets at random, is precisely
identical to the very XP vulnerability you mention.  While running
wireshark as non-root is recommended, I still would not want my
personal non-root account getting pwned, as much damage could still be
done (including escalation attempts).

Moral of the story we can all agree upon: update your wireshark
regularly, and again right before you use it on internet-facing
interfaces!


More information about the Roundtable mailing list