[vlc-devel] [PATCH] win32: do not load wininet.dll on startup, it's not a Known DLL
Rémi Denis-Courmont
remi at remlab.net
Fri Mar 10 18:20:21 CET 2017
Le perjantaina 10. maaliskuuta 2017, 18.03.02 EET Jean-Baptiste Kempf a
écrit :
> On Fri, 10 Mar 2017, at 17:57, Rémi Denis-Courmont wrote:
> > > Yet, this is using the default KnownDLL list.
> >
> > But that is the whole point. This is only the _default_.
>
> Yes, and that fixes the issue for most configurations.
>
> > Microsoft can extend the list and make this fix redundant. The admin,
> > maybe
> > the user, or an attacker can remove another entry from the list. It is
> > presumptuous to call that a fix if it depends on the default settings to
> > work.
> > It is not a fix in my book. Especially not a for a security
> > vulnerability.
>
> I'm listening to a fix according to your book.
I did not promise to fix anything. I was not even asked for an opinion before
the PR was released.
>
> > There are already rumors that VideoLAN was strong-armed to add or leave
> > open
> > this vulnerability. It will get worse: We have known this issue since at
> > least
> > July of last year, and yet we only fixed it partially at the time.
>
> If you modify the KnownDLL list, you are root, and your system is
> compromised,
> and we cannot do anything. We cannot fix Windows.
Yes. You can´t fix Windows. So why do you try to work around it being
supposedly broken still?
>
> > lastly,
> > the board has issued a PR about how the issue is taken very seriously and
> > will be fixed.
>
> Where did the _board_ issue any PR?
Are you trolling or are you only trolling?
http://images.videolan.org/press/PR_CIA_Vault7_VLC.pdf
Since you are trolling, I am ignoring you on this thread and with prejudices.
--
雷米‧德尼-库尔蒙
https://www.remlab.net/
More information about the vlc-devel
mailing list