Three Unpatched Vulnerabilities Plague Comodo. Documented Online.
- Thread starter Trident
- Start date
- Status
F
ForgottenSeer 114717
This is a strawman argument.
In any case, complaining over-and-over accomplishes nothing.
Melih never sold Comodo (The Comodo Group, Inc). He remains Owner, President, and Chairman. He still controls all of it right down to all the source code.
The Comodo certificate business was sold.
Comodo Security Solutions, Inc was only rebranded as "Xcitium" and Melih controls it.
Whatever statement was made is no longer relevant as the Comodo software has been placed into deep maintenance - which means it is not actively developed or maintained.
F
ForgottenSeer 114717
DMKnght will be ban hammered from Comodo forum.
One does not go there and openly report CVEs. That is not accepted or allowed.
F
ForgottenSeer 114717
Melih Abdulhayoglu | Cybersecurity Pioneer and Tech Visionary
Explore Melih Abdulhayoglu’s innovations in cybersecurity and his visionary leadership in tech. Learn about his journey, achievements, and influence on digital security advancements.
melih.com
It is not a good example. From the picture above, it does not follow that Xcitium ignores this and other CVEs. The author rather says that Xcitium, like any AV, has CVEs and, like any AV patches its CVEs.
However, it seems that the vendor was contacted early about this disclosure, but did not respond in any way.
Is there any information somewhere about Xcitium having one of those vulnerabilities?
F
ForgottenSeer 114717
I would never patch a reported vulnerability unless there was at least a 50% probability that it would be exploited. I do not want to incur the labor expense.
From the ENISA Vulnerability Database, it follows that Comodo products (Comodo Dragon, CIS, CA, CF) had 13 vulnerabilities (reported last year), and 0 were exploited in the wild.
The database accepts Comodo as a vendor.
Of course, this cannot be an excuse for not fixing vulnerabilities; however, it can explain why some Comodo users do not care much about unpatched Comodo vulnerabilities.
Edit.
Although CIS cannot be considered Defense in Depth, it works as an efficient Security by Obscurity.
Of course, this cannot be an excuse for not fixing vulnerabilities; however, it can explain why some Comodo users do not care much about unpatched Comodo vulnerabilities.
Edit.
Although CIS cannot be considered Defense in Depth, it works as an efficient Security by Obscurity.
Last edited:
F
ForgottenSeer 114717
Their systems. Their data. Their finances. Their life. Their choice. And nobody should care about what others like or dislike, choose or do not choose. Plus people on security forums need to stop harassing others for their use of or "promotion of Comodo" in the name of "Fighting the Good Fight Against Buggy & Vulnerable Comodo and Immoral Fanatics." Man, just leave the Comodo fanbois and fangirlz be.
The anti-Comodo agenda is bizarre. It is even more bizarre that some people expect diehard Comodo fans to acknowledge or state that the software has a lot of (potential) problems. They obviously don't know about people and psychology - at least not in the digital realm.
Last edited by a moderator:
From the ENISA Vulnerability Database, it follows that Comodo products (Comodo Dragon, CIS, CA, CF) had 13 vulnerabilities (reported last year), and 0 were exploited in the wild.
The database accepts Comodo as a vendor.
Of course, this cannot be an excuse for not fixing vulnerabilities; however, it can explain why some Comodo users do not care much about unpatched Comodo vulnerabilities.
Edit.
Although CIS cannot be considered Defense in Depth, it works as an efficient Security by Obscurity.
Did you know the whole point of researchers find 0-days is to fix the vulnerabilities before bad guys find it and exploits it "in the wild"?
AFAIK, all bug bounty programs has priority categories. For example, highest priority is remote code execution. The 2nd is local privilege escalation or remote file write / delete. (and so on...). The lower priority is "well we can fix it later" (that later could mean up to more than 1 year based on my personal experience lol). Either way, it's the way developers (or vendors) responsibility of their products. Few months ago I found an infinity loop of decompressing zip file in ClamAV beta. The developers tried fixing it ASAP. On a site note: ClamAV is open-source, so AFAIK it's not like they are making any profits from improving their code. But it's their responsibilities and they did it well.
As I mentioned earlier, I tried sending email to comodo security email or what ever they call. Turned out, as I mentioned earlier, a researcher did the same thing in 2019 and got no replies. So the best I can guess is nobody actually checked Comodo's security email since 2019 or even earlier.
Why do you ask?
No worry, we did a good job. The vendor is responsible for what will happen next to customers.
Last edited:
F
ForgottenSeer 114717
That is the theory, but in practice a lot of reported vulnerabilities would never be exploited. Many reported POC vulnerabilities, are, quite ridiculous.
No. Software publishers are not obligated to fix vulnerabilities, bugs, or anything else. There is no legal requirement to do so, unless that requirement is written in a contract or there is a covering regulation. Globally, there is no regulation that compels any developer to fix every vulnerability or bug. In fact, except for the ridiculous EU, there is no regulation in any country that requires any developer to fix vulnerabilities and bugs.
The EU adopted the Cyber Resilience Act (CRA) (adopted 2024, phased in over the next few years) explicitly requires manufacturers of digital products — including security software — to provide security updates and vulnerability fixes for the expected product lifetime or at least 5 years. Noncompliance can lead to fines similar to GDPR levels.
The CRA is a disaster and permits sufficient loopholes and exceptions as to be meaningless.
Regulations such as the CRA can be used to kill-off FOSS projects, one-man developer shops, innovation, and will also just increase costs that will be passed onto the consumers, enterprises, and governments.
I am not interested in "Software publishers have a moral and ethical obligation to fix and maintain their software" arguments because that is irrelevant. I am only interested in what software publishers - the entire world over - are legally required to do.
The fact of the matter is that Comodo is not interested in researchers reporting CVEs. The proof is in the responses on the Comodo forum and the long history of non-cooperation by Comodo.As I mentioned earlier, I tried sending email to comodo security email or what ever they call. Turned out, as I mentioned earlier, a researcher did the same thing in 2019 and got no replies. So the best I can guess is nobody actually checked Comodo's security email since 2019 or even earlier.
Comodo - Security Vulnerabilities, CVEs
LNK is a filename extension for shortcuts to local files in Windows. LNK shortcuts provide quick access to executable (.exe) files without requiring the user to access the full path of the program. Shell Link Binary File Format (.LNK) files contain metadata about the executable file, including...
forums.comodo.com
I have heard from the previous VP Operations of Comodo, Haibo Zhang, that CVEs reported to Comodo support is more effective. Posting anything that is perceived as "criticism" - even if 100% accurate - on the Comodo forum degenerates into a back-and-forth war.
It is best to just leave Comodo and its products alone, including Xcitium.
Last edited by a moderator:
F
ForgottenSeer 114717
Security software publishers being held accountable or responsible for security failures is virtually impossible under global laws. Only in the case of breach of contract (negligence, not meeting requirements, etc) could anyone pursue a legal remedy, and only then after they have suffered real financial losses. If anyone decided to sue a security software publisher because the product "failed to protect," then it would cost 100,000+ Euros before anyone went to the first hearing. Such trials invariably cost in the millions of Euros, and there is a low probability of a judgment in favor of the plaintiff(s).
I am not interested in any arguments that "Software publishers have a moral or ethical obligation to fix and maintain their software" as they do not.
The marketplace is always the judge of products and services, and despite literally thousands of security software failures over the decades consumers, enterprises, and governments keep on buying them and will continue to do so. Even PCMatic has fanbois and fangirlz.
Maybe you misunderstood my point? In regular cases, researcher and CNA contact vendor about the vulnerabilities, make sure all vulnerabilities are patched in latest version before publishing details. Not all reports have public POC. That all effort to make sure vulnerabilities are fixed before bad guys can find and exploit. Unless you meant "a lot of reported vulnerabilities would never be fixed" then it makes sense.
F
ForgottenSeer 114717
I understand. I know how the entire cycle and system works.
My point is that the software owner, Melih, does not care about reported vulnerabilities because in his estimation most all reported vulnerabilities will never be exploited. So he's not going to ever fix most of them.
A lot of software publishers do not do this because they think that most of the reported vulnerabilities will not be exploited. It does not matter to them that threat actors can and some will discover the vulnerabilities.
As I stated earlier, I would never fix any vulnerability unless it had at least a 50% or greater probability of being exploited. Any vulns or other issues with a probability less than 0.50 and I would not fix them. The criticality or severity of the vulnerability does not matter.
I looked to see if others were also affected by the CVE. Here's just ONE example. Of course, that's no reason to say anything, so it's not a big deal. But I got the feeling that only Comodo was affected and extremely vulnerable, and it reawakened my concerns about the security of my "Beretta."
But:
Of the three remote attacks, I know where one of them came from. But the other two that Comodo successfully defended against? Maybe one from the CVEs? Please, as I said, I'm a complete novice in this, like with rocket science/design.
I'm not defending comodo or Melih (although I can say thank you for the gift of protection I've received so far), but I'm trying, fueled by these discussions, to figure out whether I'm really standing there with comodo and only comodo without a body armor, or with one that's already riddled with holes.
This is just ONE example.
However, one can (justifiably) object: the others are doing something about it, Comodo apparently isn't!?
www.trustpilot.com
Click on:
Bitdefender Warns of Multiple Vulnerabilities That Let Attackers Execute MITM Attack
Briefly translated:
Remote control detected!
COMODO Secure Shopping is currently not active - Remote connection - Your screen may be monitored by others. If you are sure about this connection, click "Continue." However, urgent - terminate the remote connection after Secure Shopping is active again.
Please wait 99 seconds.
Looks like MITM.
However, I know where it's coming from here, so I was able to provoke it again, but not with the other two.
But:
Of the three remote attacks, I know where one of them came from. But the other two that Comodo successfully defended against? Maybe one from the CVEs? Please, as I said, I'm a complete novice in this, like with rocket science/design.
I'm not defending comodo or Melih (although I can say thank you for the gift of protection I've received so far), but I'm trying, fueled by these discussions, to figure out whether I'm really standing there with comodo and only comodo without a body armor, or with one that's already riddled with holes.
This is just ONE example.
However, one can (justifiably) object: the others are doing something about it, Comodo apparently isn't!?
Bitdefender is rated "Average" with 3.7 / 5 on Trustpilot
Do you agree with Bitdefender's TrustScore? Voice your opinion today and hear what 10,291 customers have already said.
www.trustpilot.com
Click on:
bramley blue
GB•7 reviews 5 days ago
search advisor that does not work... will not install simple windows updates, I have to do that myself, via windows settings ... and a full system scan that takes over 15 hours to complete.... i have had my pc checked by a trained professional, and it has nothing to do with my computer. customer services did not reply to me so after 10 years of being with bit defender, and introducing hundreds of customers to your company it's time to say farewell.
your customer services used to be up there with the best, now they are at the very bottom. did not even reply with the many faults i have mentioned above,,, good riddance,,
Bitdefender Warns of Multiple Vulnerabilities That Let Attackers Execute MITM Attack
---------------------------------------------------
Briefly translated:
Remote control detected!
COMODO Secure Shopping is currently not active - Remote connection - Your screen may be monitored by others. If you are sure about this connection, click "Continue." However, urgent - terminate the remote connection after Secure Shopping is active again.
Please wait 99 seconds.
Looks like MITM.
However, I know where it's coming from here, so I was able to provoke it again, but not with the other two.
Last edited:
Ah yeah I get it now. Anyway, I actually reported bugs / vulnerabilities to multiple vendors. Comodo is the only one in the list that doesn't care about their bugs lol.
- Status
You may also like...
-
Windows Active Directory Vulnerability Allows Attackers to Execute Malicious Code- Started by Brownie2019
- Replies: 1
-
Critical Windows Admin Center Vulnerability Allows Privilege Escalation- Started by Parkinsond
- Replies: 4
-
AVideo Platform Vulnerability Allows Hackers to Hijack Streams via Zero-Click Command Injection
- Started by Brownie2019
- Replies: 1
-
TeamViewer DEX Vulnerabilities Let Attackers Trigger DoS Attack and Expose Sensitive Data
- Started by Brownie2019
- Replies: 1
