Full Disclosure mailing list archives
Re: When is it valid to claim that a vulnerability leads to a remote attack?
From: "Elazar Broad" <elazar () hushmail com>
Date: Fri, 09 Oct 2009 13:44:38 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 09 Oct 2009 10:24:02 -0400 Paul Schmehl <pschmehl_lists () tx rr com> wrote:
--On Thursday, October 08, 2009 22:16:01 -0500 Jonathan Leffler <jleffler () us ibm com> wrote:A reputable security defect reporting organization is claimingthat a Windowsprogram is subject to a remote attack because: * The vulnerable program (call it 'pqrminder') is registered asthe 'handler'for files with a specific extension (call it '.pqr'). * If the user downloads a '.pqr' file (or is sent on in the mailand clickson it), then 'pqrminder' is invoked. * If the file is malformed, then arbitrary code can be executed(bufferoverflow). While recognizing that there is a bug here, that does not strikeme as beingwhat is normally meant by a 'remote attack'.In fact it's very typical of the types of attacks we see every day now. By far the most routinely successful attacks now are initiated through some sort of social engineering trick that requires user interaction to trigger the compromise. If by remote you mean "live interaction by the hacker at the point of attack" (as in a "traditional" hack), then no, it's not a remote attack. I think the more normal undertstanding of remote attack (although it's usually worded remote compromise) is that the result of a successful attack is the opening of a gateway that can lead to additional compromise or complete takeover of a machine. Given the details you've offered, think this qualifies as "potentially leading to a remote compromise" of a machine. The attack begins when the unsuspecting user clicks on a link to either open an attachment or view a webpage or video. In the background the compromise takes place, after which the malicious software "phones home", downloads additional tools, etc. until the host is completely and utterly compromised. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Think Adobe Acrobat, most of the issues had to do with file parsing(JBIG2 comes to mind), and the drive by campaigns exploiting the issue(s) were probably quite successful... elazar -----BEGIN PGP SIGNATURE----- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQECAAYFAkrPdoYACgkQi04xwClgpZjcogP7B3C79Hr+0RJe9z0Ds9qO8ReKJIkB OLfm5QuifgEuz7Z/4mX2k0ZMqGkqJT3rBE2sR82vrTR2vNK0pMnoNxIy/V71MXBmdZqE PpXssC5LBRgWD29jFWeBIC0ORTrBZJ1+lcg3dmx9mYlr3moKk9yE3+GXg5Jds2vZvgDy OUqnnyk= =LCG2 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: When is it valid to claim that a vulnerability leads to a remote attack? Elazar Broad (Oct 09)