Full Disclosure mailing list archives
Re: When is it valid to claim that a vulnerability leads to a remote attack?
From: Thierry Zoller <Thierry () Zoller lu>
Date: Fri, 9 Oct 2009 12:09:08 +0200
Hi Jonathan, IMHO it generally is classified as remote. Some vendors call it "user assisted remote arbitrary code execution" which, in my opinion is just downplaying the issue - there are virtually unlimited means to get somebody or something to open such a file some less assisted but still exploiting the issue at hand. If you want to find common ground with said person, propose the denomination above. This subject is indeed interesting and worth discussing, not sure FD is the best place though. Regards, Thierry JL> A reputable security defect reporting organization is claiming that a JL> Windows program is subject to a remote attack because: JL> * The vulnerable program (call it 'pqrminder') is registered as the JL> 'handler' for files with a specific extension (call it '.pqr'). JL> * If the user downloads a '.pqr' file (or is sent on in the mail and clicks JL> on it), then 'pqrminder' is invoked. JL> * If the file is malformed, then arbitrary code can be executed (buffer JL> overflow). JL> While recognizing that there is a bug here, that does not strike me as JL> being what is normally meant by a 'remote attack'. JL> -- JL> Jonathan Leffler (jleffler () us ibm com) JL> STSM, Informix Database Engineering, IBM Information Management JL> 4400 N First St, San Jose, CA 95134-1257 JL> Tel: +1 408-956-2436 Tieline: 475-2436 JL> "I don't suffer from insanity; I enjoy every minute of it!" -- http://blog.zoller.lu Thierry Zoller _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- When is it valid to claim that a vulnerability leads to a remote attack? Jonathan Leffler (Oct 08)
- Re: When is it valid to claim that a vulnerability leads to a remote attack? Thierry Zoller (Oct 09)
- Re: When is it valid to claim that a vulnerability leads to a remote attack? Valdis . Kletnieks (Oct 09)
- Message not available
- Re: When is it valid to claim that a vulnerability leads to a remote attack? Thierry Zoller (Oct 10)
- Re: When is it valid to claim that a vulnerability leads to a remote attack? Thor (Hammer of God) (Oct 10)
- Re: When is it valid to claim that a vulnerability leads to a remote attack? James Matthews (Oct 11)
- Re: When is it valid to claim that a vulnerability leads to a remote attack? Jeremy Brown (Oct 11)
- Re: When is it valid to claim that a vulnerability leads to a remote attack? Paul Schmehl (Oct 11)
- Re: When is it valid to claim that a vulnerability leads to a remote attack? Thor (Hammer of God) (Oct 11)
- Re: [-SPAM-] Re: When is it valid to claim that a vulnerability leads to a remote attack? Thierry Zoller (Oct 12)
- Re: When is it valid to claim that a vulnerability leads to a remote attack? Valdis . Kletnieks (Oct 09)
- Re: When is it valid to claim that a vulnerability leads to a remote attack? Thierry Zoller (Oct 09)