Dailydave mailing list archives

Re: News is about the details

From: "Isaac Dawson" <isaac.dawson () gmail com>
Date: Wed, 21 Jun 2006 10:04:11 +0900

Everyone I know has been using client-side for IE/Browser based exploits
ever since nimda. But the media/vendors don't seem to use the term as much.
I honestly can't see why it /isn't/ used as the general term. We say
"client-side javascript", so why not client side exploitation?

-Isaac

On 6/20/06, Steven M. Christey <coley () mitre org> wrote:



Dave Aitel said:

>One thing I think Microsoft DOES have to change is their
>classification system for "remote" versus "remote (but really
>client-side)". It's confusing to the public

The whole remote/local thing has been problematic for a couple years,
so I won't rehash that too much.

The term we've started using in CVE is "user-complicit", which
recognizes that there are social engineering or external forces at
work.  In some cases, the only reasonable delivery mechanism occurs
over remote channels (say, via e-mail or a chat message), so we still
might say "remote user-complicit".  Our usage is still evolving
slightly.

Then you have what CVE calls "context-dependent" issues, which could
be local *or* remote, depending on how the affected product is being
used.  This frequently applies to general-purpose libraries, e.g. for
image manipulation.  In such cases, the library might frequently be
part of a web package or a command line program.

Both terms are clunky and will die as soon as someone comes up with
something better.

There have been a few possible terms tossed around in this area, but I
don't think anybody's hit on the right answer yet, where "right" means
"usable enough that it reaches a flash point where everyone starts
saying it."  We need a lot more terminological flash points in this
biz.

- Steve

=======================================================================

Disclaimer: This message was publicly posted for the purpose of timely
technical information exchange, and may contain errors, omissions, or
imprecise conversational tone.  Stated opinions are those of Steve
Christey and may be imprecise or evolve over time.  They do not
necessarily reflect the views of The MITRE Corporation.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

News is about the details Dave Aitel (Jun 14)
- <Possible follow-ups>
- Re: News is about the details Steven M. Christey (Jun 20)
  - Re: News is about the details Isaac Dawson (Jun 21)
  - PaiMei RE Framework Pedram Amini (Jun 21)