What the fuck…?

From a CERT advisory I received today (CA-2003-22, “Multiple vulnerabilities in Microsoft Internet Explorer”):

VU#548964 – Microsoft Windows BR549.DLL ActiveX control contains

The Microsoft Windows BR549.DLL ActiveX control, which provides
support for the Windows Reporting Tool, contains an unknown
vulnerability. The impact of this vulnerability is not known.

Could someone please explain to me what the hell this sort of report is supposed to mean? I mean, was this vulnerability discovered by consulting the Delphic oracles? Or has CERT decided that, in the present legal climate, they can only inform the world of critical bugs by means of gnomic utterances and vague allusions?

I can just see now where this is heading… two years from now, I’ll be getting this —

VU#xxxxxx – Software is all perfectly fine!

There has been a rumor that a certain piece of software has
a minute imperfection. Please do not listen to this at all, nudge
nudge, wink wink. There is no impact to this at all, and you should
not be in any way worried that it could allow an attacker to execute
arbitrary code on ***** systems with the privileges of the root user.
Have a nice day!

Published in: on August 26, 2003 at 15:13  Comments (5)  


  1. Chill. Less FUD, more google searching.

  2. err, never mind – at first glance, I thought you were worried about the presence of a “Microsoft Reporting Tool”, instead of the unreasonable vague nature of the report.
    Carry on.

  3. CERT is simply trying to construct a new language for discussing security issues, modeled around the C language paradigm.
    This, for example, is just an uninitialized vulnerability. The syntax for vulnerabilities is as follows:
    1 Vulnerability foo;
    2 foo = new Vulnerability();
    3 foo.exploit(ROOT);
    Between step 1 and 2, the vulnerability foo is uninitialized, thus it’s impact is unknown.

  4. Perhaps they need to use stricter compiler flags, to keep them from issuing uninitialized vulnerabilities?

  5. Forward thinking
    These are truly visionary people. I like that they know about an unknown vulnerability, perhaps they are laying the groundwork for reporting vulnerabilities in quantum computers.
    Or maybe it is MUCH simpler then that. Perhaps they plan to start a new service “Ms Alert-A-Day” in which they pick a random Microsoft file and tell you that there is a vulnerability in said file. This way they no longer have to really look for problems in Windows thus saving countless hours for work which the DoD funds therefore saving us, the U.S. taxpayer, money!
    Either way these people should be recognized for their unique perspective on security alerts. All hail C.E.R.T.!

Comments are closed.

%d bloggers like this: