Re: News is about the details

["Steven M. Christey" <coley () mitre org>]

Dave Aitel said:

> One thing I think Microsoft DOES have to change is their
> classification system for "remote" versus "remote (but really
> client-side)". It's confusing to the public

The whole remote/local thing has been problematic for a couple years,
so I won't rehash that too much.

The term we've started using in CVE is "user-complicit", which
recognizes that there are social engineering or external forces at
work.  In some cases, the only reasonable delivery mechanism occurs
over remote channels (say, via e-mail or a chat message), so we still
might say "remote user-complicit".  Our usage is still evolving
slightly.

Then you have what CVE calls "context-dependent" issues, which could
be local *or* remote, depending on how the affected product is being
used.  This frequently applies to general-purpose libraries, e.g. for
image manipulation.  In such cases, the library might frequently be
part of a web package or a command line program.

Both terms are clunky and will die as soon as someone comes up with
something better.

There have been a few possible terms tossed around in this area, but I
don't think anybody's hit on the right answer yet, where "right" means
"usable enough that it reaches a flash point where everyone starts
saying it."  We need a lot more terminological flash points in this
biz.

- Steve

=======================================================================

Disclaimer: This message was publicly posted for the purpose of timely
technical information exchange, and may contain errors, omissions, or
imprecise conversational tone.  Stated opinions are those of Steve
Christey and may be imprecise or evolve over time.  They do not
necessarily reflect the views of The MITRE Corporation.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave