From a CERT advisory I received today (CA-2003-22, “Multiple vulnerabilities in Microsoft Internet Explorer”):
VU#548964 – Microsoft Windows BR549.DLL ActiveX control contains
The Microsoft Windows BR549.DLL ActiveX control, which provides
support for the Windows Reporting Tool, contains an unknown
vulnerability. The impact of this vulnerability is not known.
Could someone please explain to me what the hell this sort of report is supposed to mean? I mean, was this vulnerability discovered by consulting the Delphic oracles? Or has CERT decided that, in the present legal climate, they can only inform the world of critical bugs by means of gnomic utterances and vague allusions?
I can just see now where this is heading… two years from now, I’ll be getting this —
VU#xxxxxx – Software is all perfectly fine!
There has been a rumor that a certain piece of software has
a minute imperfection. Please do not listen to this at all, nudge
nudge, wink wink. There is no impact to this at all, and you should
not be in any way worried that it could allow an attacker to execute
arbitrary code on ***** systems with the privileges of the root user.
Have a nice day!