Bugtraq mailing list archives
Re: On classifying attacks
From: "Steven M. Christey" <coley () mitre org>
Date: Mon, 18 Jul 2005 16:07:51 -0400 (EDT)
Derek Martin said:
The vulnerability is neither truly remote nor local, in the normal senses as we have defined them here. It is a different kind of vulnerability altogether. The vulnerability is one to automatically triggering trojan horses....
I agree with you on the need for a third category. Another term could be "user-complicit," which reflects the core role that the user has in activating the vulnerability, versus the traditional "automatic" exploitation (no human user interaction) and "opportunistic" exploitation (attacker has no control over when the vulnerable state occurs, as can happen in some types of information leaks for example). Depending on the normal channels by which the "trojan" is delivered, the attack could be "local user-complicit" or "remote user-complicit." For example, images are usually shared in some remote fashion, thus a vulnerability in an image renderer could be remote user-complicit, whereas a vulnerability that requires a local user to trick another local user into changing into a directory with a large name would be local user-complicit. One small difficulty I have with associating this too closely with the "trojan horse" terminology is that many Trojans are inserted after a vulnerability has been exploited and access is gained, so this further muddies the waters of an already vague term. - Steve
Current thread:
- On classifying attacks Derek Martin (Jul 15)
- RE: On classifying attacks Bryan McAninch (Jul 15)
- Re: On classifying attacks James Longstreet (Jul 16)
- Re: On classifying attacks Derek Martin (Jul 16)
- Re: On classifying attacks Godwin Stewart (Jul 18)
- Re: On classifying attacks James Longstreet (Jul 18)
- Re: On classifying attacks Adam Shostack (Jul 19)
- Re: On classifying attacks Mihai Amarandei-Stavila (Jul 18)
- Re: On classifying attacks Derek Martin (Jul 16)
- Re: On classifying attacks Crispin Cowan (Jul 18)
- Re: On classifying attacks Indigo Haze (Jul 16)
- <Possible follow-ups>
- Re: On classifying attacks Steven M. Christey (Jul 18)
- Re: On classifying attacks Dustin D. Trammell (Jul 19)
- RE: On classifying attacks Black, Michael (Jul 19)
- Re: On classifying attacks Crispin Cowan (Jul 19)
- Re: On classifying attacks Technica Forensis (Jul 20)
- Re: On classifying attacks Crispin Cowan (Jul 27)
- Re: On classifying attacks Crispin Cowan (Jul 19)
- Re: On classifying attacks Crispin Cowan (Jul 28)