Comments by "Edward Cullen" (@edwardcullen1739) on "The "9.9" Linux Vulnerability Revealed: It's The Printers" video.

  1. The scandal is the blasé nature of the response. People, in general, do not appreciate how attacks work. It's not about one vulnerability that unlocks everything, it's about chaining vulnerabilities - getting onto the network via some neglected, "unimportant" device, then leveraging that to gain further, deeper access. Knowing that all you need to do is find any UNIX system on a network and you've got root access? It's pure gold. Vulnerabilities will happen, yes, and we shouldn't be jumping off bridges everytime we find one... But there needs to be an appropriate response. An unauthenticated, network-accessable RCE in software, is the security equivalent of a doctor killing a patient and should be treated as seriously. If not, you're simply in the wrong business and things will never get any better.
    2
  2. That's not how CVSS works. You can argue that CVSS is flawed, but you cannot say that it is less than a 9.9. Most desktop systems will install CUPS by default. Many servers will too, unless you have anal-retentive admins who INSIST on "minimum attack surface". If you think this isn't bad, you simply do not understand how security/attacks work. This is basically guaranteed access/PrivEsc to anyone who can get onto a network in any way. How many laptop users actually have their firewall configured correctly, so they're not vulnerable at their local cafe? No. If you are minimising this, you are a part of the problem and should stop talking and start listening.
    2