Since I’m not using sandbox functionalities, I’m not affected by this specific issues. In fact I’m still using CIS 3.14 on my production machines, since version 4 had also a - in my eyes - big security flow, which brought me back to 3.14.
This is more a general post about handling bug reports:
A user reports a bug, he does this in the requested form and provides all information needed.
A moderator confirms, that there were already similar reports
The devs see no reason to do something about it, since the affected option isn’t used in the default configuration (means the devs even know about this bug)
Another moderator likes a discussion about security issues in case the buggy option is disabled - at this point the chances, that the bug gets fixed is almost zero. But maybe a heated and emotional discussion about possible security issues will start and lead far far away from the problem.
Sorry should have explained further. (We mods are all volunteers and so have limited time…)
I agree the ‘issue’ is known, and I agree that the author was very helpful in putting this in the right format. The difficulty for us is that the devs have made it clear that users should leave this unticked in normal usage and they will be acceptably safe if they do so. So if I forward it as verified and make a tracking system entry it will likely get marked as ‘invalid’ and not looked at.
But I retain some worries. I don’t know if these are soundly based or not. So the best way of progressing this issue I’m thinking, is to see if anyone can come up with an example where leaving this unticked resulted in a demonstrable vulnerability - a PoC.
So, you’re telling me, a bug that doesn’t affect security isn’t a bug by COMODO’s definition.
As long as the sandbox is enabled, I don’t see a problem here. The sandbox does something similar as the option does. At least concerning D+ alerts. Is outgoing traffic still allowed for sandboxed apps? Then maybe there could be a problem. But I have no PoC.
If the sandbox is disabled, I would definitely recommend to enable this option - so the devs’ statement should be refined a bit.
So, you're telling me, a bug that doesn't affect security isn't a bug by COMODO's definition.
Not really. What I mean is that this *specific* issue isn't really an issue if security is not affected. Boot time security was the reason for this setting. So if CIS has adequate ways of dealing with this w/o this setting under normal circumstances, then the need to keep this unticked unless malware infected is probably not an issue.
As long as the sandbox is enabled, I don't see a problem here. The sandbox does something similar as the option does. At least concerning D+ alerts. Is outgoing traffic still allowed for sandboxed apps? Then maybe there could be a problem. But I have no PoC. If the sandbox is disabled, I would definitely recommend to enable this option - so the devs' statement should be refined a bit.
I think others have now answered these further points?
As far as I’m concerned, all is answered. Thanks for giving me a look behind the scenes. As you might already know, I’m not really happy now, but it’s pointless to discuss about bug management since neither you nor I can change anything here.