RT-AC88U Remote code execution fix

[RMerlin]

it uses the word "some". not "all".

They are simply saying that some stack may be vulnerable, some may not be. Miniupnpd is one specific stack that is not vulnerable, they specify it by name.

Why would they confirm a model vulnerable if they didn't test it?

Because a lot of these security outfits make assumptions without actually testing it, wanting to rush out their finding in the name of glory and fame. I've seen another such security analysis that was reporting issues which had actually been patched by Asus over a year ago at the time.

There is a reason why Linus Torvalds has very little respect for many of these firms, and I share his opinion: too many of these are more about marketing than actual technical analysis and fact reporting. This link is just one instance where he voiced his opinion on the matter, I've seen others in the past.

Asus did the right thing being better safe then sorry imo.

Which is the thing I'm telling you: Asus didn't make any change to the firmware code... The changelog simply did not reflect reality.

 

[cooloutac]

They are simply saying that some stack may be vulnerable, some may not be. Miniupnpd is one specific stack that is not vulnerable, they specify it by name.

so you are saying miniupnpd is the only one asus uses. and so I assume the n66u uses something else or an older version cause they also specify that model by name. But again, why deflect to this over the RCE vulnerablity that we have no info on?

Because a lot of these security outfits make assumptions without actually testing it, wanting to rush out their finding in the name of glory and fame. I've seen another such security analysis that was reporting issues which had actually been patched by Asus over a year ago at the time.

I don't believe that, they wouldn't just specify a model out of the blue.

There is a reason why Linus Torvalds has very little respect for many of these firms, and I share his opinion: too many of these are more about marketing than actual technical analysis and fact reporting. This link is just one instance where he voiced his opinion on the matter, I've seen others in the past.

I don't even know who runs the callstranger site, who is benefiting here. the only marketing i see being done right now is you for your firmware. again, to assume the recent RCE vulnerability patch unnecessary without any facts to what it patches, is just as bad. Ironic you bring up LIinus since they definitely had to patch that kernel for sad dns. Ironically windows was the only os not vulnerable by default.

Which is the thing I'm telling you: Asus didn't make any change to the firmware code... The changelog simply did not reflect reality.

so what you are saying is they put it in the changelog but it actually patched nothing, changed no code? Why was it only for certain models? that doesn't make sense. Maybe it was unnecessary, but if no code was even changed That is quite an accusation against asus and makes them seem very dishonest.

 

[RMerlin]

I already answered these questions. Re-read what I wrote.

 

[cooloutac]

I already answered these questions. Re-read what I wrote.

Didn't i already quote them before my replies? Everyone can read what you wrote. Don't think I repeated myself, so I accept your concession.

And to summarize and my last comment, I still find it unfortunate you refuse to patch a security vulnerability patched by asus, because according to you it might not be necessary, and we should just cross our fingers it isn't. going on two months now.