Bugtraq mailing list archives
Re: The newest Word flaw is due to malformed data structure handling
From: "Steven M. Christey" <coley () mitre org>
Date: Wed, 13 Dec 2006 21:06:10 -0500 (EST)
Alexander Sotirov said:
Descriptions of vulnerabilities, especially ones that are found in the wild, should include enough information to allow researchers to uniquely identify the new vulnerability and differentiate it from all other bugs, both known ones and 0days.
I say this periodically, e.g. in [1], but it's probably worth expanding here. In CVE, we've found that we need the following details in order to be reasonably certain whether two issues are the same or not: 1) bug type DIFFICULTY: terminology like "malformed data structure handling" and "memory corruption" do not indicate bug type. There are many ways that input can be "malformed," and more precise terminology is desperately needed in this area. People can contact me off-list for thoughts on the topic. 2) affected versions / patch levels DIFFICULTY: often not known, especially without coordinated disclosure 3) attack vectors (input parameters/fields, programs) *and* affected components where the issue is exposed. DIFFICULTY: often omitted from reports. Having a source diff doesn't necessarily tell you what the vectors are. A vendor can fix the component and you can't tell if it matches up with the vectors listed by the original researcher. 4) For correlation purposes (e.g. figuring out if a vendor fix is for vuln X or vuln Y), we find that time of disclosure, researcher name, and cross-references are valuable. DIFFICULTY: often omitted from reports. Items 1 through 3, however, are often enough information to construct an exploit. This is probably a natural result of having to distinguish between vulnerabilities.
Without that level of detail, you end up with this: http://www.securityfocus.com/archive/1/443288
Think of the amount of work that must have gone into that analysis, and you can understand how these essential details can be missed on a regular basis, in all sorts of disclosures. This is one example of how "post-disclosure analysis" is stylistically different from original research, but has its own technical demands. - Steve [1] "Making distinctions between similar-looking vulnerabilities" http://seclists.org/bugtraq/2004/Nov/0084.html
Current thread:
- The newest Word flaw is due to malformed data structure handling Juha-Matti Laurio (Dec 11)
- Re: The newest Word flaw is due to malformed data structure handling Alexander Sotirov (Dec 12)
- Re: The newest Word flaw is due to malformed data structure handling Dave "No, not that one" Korn (Dec 12)
- <Possible follow-ups>
- Re: Re: The newest Word flaw is due to malformed data structure handling test (Dec 12)
- Re: The newest Word flaw is due to malformed data structure handling Steven M. Christey (Dec 14)
- Re: The newest Word flaw is due to malformed data structure handling Juha-Matti Laurio (Dec 14)