| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 09 Oct 2009 13:44:38 -0400 From: "Elazar Broad" <elazar@...hmail.com> To: full-disclosure@...ts.grok.org.uk, pschmehl_lists@...rr.com Subject: Re: When is it valid to claim that a vulnerability leads to a remote attack? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 09 Oct 2009 10:24:02 -0400 Paul Schmehl <pschmehl_lists@...rr.com> wrote: >--On Thursday, October 08, 2009 22:16:01 -0500 Jonathan Leffler ><jleffler@...ibm.com> wrote: > >> >> A reputable security defect reporting organization is claiming >that a Windows >> program is subject to a remote attack because: >> >> * The vulnerable program (call it 'pqrminder') is registered as >the 'handler' >> for files with a specific extension (call it '.pqr'). >> * If the user downloads a '.pqr' file (or is sent on in the mail >and clicks >> on it), then 'pqrminder' is invoked. >> * If the file is malformed, then arbitrary code can be executed >(buffer >> overflow). >> >> While recognizing that there is a bug here, that does not strike >me as being >> what is normally meant by a 'remote attack'. > >In fact it's very typical of the types of attacks we see every day >now. By far >the most routinely successful attacks now are initiated through >some sort of >social engineering trick that requires user interaction to trigger >the >compromise. > >If by remote you mean "live interaction by the hacker at the point >of attack" >(as in a "traditional" hack), then no, it's not a remote attack. >I think the >more normal undertstanding of remote attack (although it's usually >worded >remote compromise) is that the result of a successful attack is >the opening of >a gateway that can lead to additional compromise or complete >takeover of a >machine. Given the details you've offered, think this qualifies >as >"potentially leading to a remote compromise" of a machine. > >The attack begins when the unsuspecting user clicks on a link to >either open an >attachment or view a webpage or video. In the background the >compromise takes >place, after which the malicious software "phones home", downloads >additional >tools, etc. until the host is completely and utterly compromised. > >-- >Paul Schmehl, Senior Infosec Analyst >As if it wasn't already obvious, my opinions >are my own and not those of my employer. >******************************************* >"It is as useless to argue with those who have >renounced the use of reason as to administer >medication to the dead." Thomas Jefferson > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ Think Adobe Acrobat, most of the issues had to do with file parsing(JBIG2 comes to mind), and the drive by campaigns exploiting the issue(s) were probably quite successful... elazar -----BEGIN PGP SIGNATURE----- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQECAAYFAkrPdoYACgkQi04xwClgpZjcogP7B3C79Hr+0RJe9z0Ds9qO8ReKJIkB OLfm5QuifgEuz7Z/4mX2k0ZMqGkqJT3rBE2sR82vrTR2vNK0pMnoNxIy/V71MXBmdZqE PpXssC5LBRgWD29jFWeBIC0ORTrBZJ1+lcg3dmx9mYlr3moKk9yE3+GXg5Jds2vZvgDy OUqnnyk= =LCG2 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists