| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 09 Oct 2009 07:34:58 -0400
From: Valdis.Kletnieks@...edu
To: Thierry Zoller <Thierry@...ler.lu>
Cc: full-disclosure@...ts.grok.org.uk, Jonathan Leffler <jleffler@...ibm.com>
Subject: Re: When is it valid to claim that a
vulnerability leads to a remote attack?
On Fri, 09 Oct 2009 12:09:08 +0200, Thierry Zoller said:
> IMHO it generally is classified as remote. Some vendors call it
> "user assisted remote arbitrary code execution" which, in my opinion
> is just downplaying the issue - there are virtually unlimited means to
> get somebody or something to open such a file some less assisted but
> still exploiting the issue at hand.
I concur with Thierry - the fact that one of the steps in the exploit is
"get the user to click on it" does *not* mean the vendor can stick their
head in the sand and claim it's not an issue. It just means the exploit
will require a social engineering step as well as coding.
If you think that it's hard to get users to run the program for you, consider
that a very large community is making a lot of money sending users e-mail
that says "please go to this web page and enter your userid, password, and
credit card number so we can take all your money". Of course, they have to
do a little work so it looks like it came from the victim's bank...
Content of type "application/pgp-signature" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists