Re: When is it valid to claim that a vulnerability leads to a remote attack?

["Elazar Broad" <elazar () hushmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On Fri, 09 Oct 2009 10:24:02 -0400 Paul Schmehl
<pschmehl_lists () tx rr com> wrote:
> --On Thursday, October 08, 2009 22:16:01 -0500 Jonathan Leffler
> <jleffler () us ibm com> wrote:
>
> > A reputable security defect reporting organization is claiming
> that a Windows
> > program is subject to a remote attack because:
> >
> > * The vulnerable program (call it 'pqrminder') is registered as
> the 'handler'
> > for files with a specific extension (call it '.pqr').
> > * If the user downloads a '.pqr' file (or is sent on in the mail
> and clicks
> > on it), then 'pqrminder' is invoked.
> > * If the file is malformed, then arbitrary code can be executed
> (buffer
> > overflow).
> >
> > While recognizing that there is a bug here, that does not strike
> me as being
> > what is normally meant by a 'remote attack'.
>
> In fact it's very typical of the types of attacks we see every day
> now.  By far
> the most routinely successful attacks now are initiated through
> some sort of
> social engineering trick that requires user interaction to trigger
> the
> compromise.
>
> If by remote you mean "live interaction by the hacker at the point
> of attack"
> (as in a "traditional" hack), then no, it's not a remote attack.
> I think the
> more normal undertstanding of remote attack (although it's usually
> worded
> remote compromise) is that the result of a successful attack is
> the opening of
> a gateway that can lead to additional compromise or complete
> takeover of a
> machine.  Given the details you've offered,  think this qualifies
> as
> "potentially leading to a remote compromise" of a machine.
>
> The attack begins when the unsuspecting user clicks on a link to
> either open an
> attachment or view a webpage or video.  In the background the
> compromise takes
> place, after which the malicious software "phones home", downloads
> additional
> tools, etc. until the host is completely and utterly compromised.
>
> --
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> "It is as useless to argue with those who have
> renounced the use of reason as to administer
> medication to the dead." Thomas Jefferson
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Think Adobe Acrobat, most of the issues had to do with file
parsing(JBIG2 comes to mind), and the drive by campaigns exploiting
the issue(s) were probably quite successful...

elazar
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkrPdoYACgkQi04xwClgpZjcogP7B3C79Hr+0RJe9z0Ds9qO8ReKJIkB
OLfm5QuifgEuz7Z/4mX2k0ZMqGkqJT3rBE2sR82vrTR2vNK0pMnoNxIy/V71MXBmdZqE
PpXssC5LBRgWD29jFWeBIC0ORTrBZJ1+lcg3dmx9mYlr3moKk9yE3+GXg5Jds2vZvgDy
OUqnnyk=
=LCG2
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/