[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20091009174438.8AFC911804D@smtp.hushmail.com>
Date: Fri, 09 Oct 2009 13:44:38 -0400
From: "Elazar Broad" <elazar@...hmail.com>
To: full-disclosure@...ts.grok.org.uk, pschmehl_lists@...rr.com
Subject: Re: When is it valid to claim that a
vulnerability leads to a remote attack?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, 09 Oct 2009 10:24:02 -0400 Paul Schmehl
<pschmehl_lists@...rr.com> wrote:
>--On Thursday, October 08, 2009 22:16:01 -0500 Jonathan Leffler
><jleffler@...ibm.com> wrote:
>
>>
>> A reputable security defect reporting organization is claiming
>that a Windows
>> program is subject to a remote attack because:
>>
>> * The vulnerable program (call it 'pqrminder') is registered as
>the 'handler'
>> for files with a specific extension (call it '.pqr').
>> * If the user downloads a '.pqr' file (or is sent on in the mail
>and clicks
>> on it), then 'pqrminder' is invoked.
>> * If the file is malformed, then arbitrary code can be executed
>(buffer
>> overflow).
>>
>> While recognizing that there is a bug here, that does not strike
>me as being
>> what is normally meant by a 'remote attack'.
>
>In fact it's very typical of the types of attacks we see every day
>now. By far
>the most routinely successful attacks now are initiated through
>some sort of
>social engineering trick that requires user interaction to trigger
>the
>compromise.
>
>If by remote you mean "live interaction by the hacker at the point
>of attack"
>(as in a "traditional" hack), then no, it's not a remote attack.
>I think the
>more normal undertstanding of remote attack (although it's usually
>worded
>remote compromise) is that the result of a successful attack is
>the opening of
>a gateway that can lead to additional compromise or complete
>takeover of a
>machine. Given the details you've offered, think this qualifies
>as
>"potentially leading to a remote compromise" of a machine.
>
>The attack begins when the unsuspecting user clicks on a link to
>either open an
>attachment or view a webpage or video. In the background the
>compromise takes
>place, after which the malicious software "phones home", downloads
>additional
>tools, etc. until the host is completely and utterly compromised.
>
>--
>Paul Schmehl, Senior Infosec Analyst
>As if it wasn't already obvious, my opinions
>are my own and not those of my employer.
>*******************************************
>"It is as useless to argue with those who have
>renounced the use of reason as to administer
>medication to the dead." Thomas Jefferson
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
Think Adobe Acrobat, most of the issues had to do with file
parsing(JBIG2 comes to mind), and the drive by campaigns exploiting
the issue(s) were probably quite successful...
elazar
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0
wpwEAQECAAYFAkrPdoYACgkQi04xwClgpZjcogP7B3C79Hr+0RJe9z0Ds9qO8ReKJIkB
OLfm5QuifgEuz7Z/4mX2k0ZMqGkqJT3rBE2sR82vrTR2vNK0pMnoNxIy/V71MXBmdZqE
PpXssC5LBRgWD29jFWeBIC0ORTrBZJ1+lcg3dmx9mYlr3moKk9yE3+GXg5Jds2vZvgDy
OUqnnyk=
=LCG2
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists