Secure Coding mailing list archives
Re: Re: DJB's students release 44 poorly-worded, overblown advisories
From: Crispin Cowan <crispin () immunix com>
Date: Mon, 20 Dec 2004 21:22:59 +0000
Paco Hope wrote: Bernstein has a history of being inflammatory, and in this case I think he has done the whole security community a disservice. He has called everything a "remotely exploitable security hole" even when exploiting it requires explicit user actions. He's playing fast and loose with terminology, which can't help anybody. Hmmm ... Somebody¹s gotta come up with a reasonable definition of "remotely exploitable." Consider the following statement: Limin Wang has discovered two remotely exploitable security holes in abc2midi. http://tigger.uic.edu/~jlongs2/holes/abc2midi.txt If you read the exploit description, he says: You are at risk if you take an ABC file from an email message (or a web page or any other source that could be controlled by an attacker) and feed that file through abc2midi. Whoever provides the ABC file then has complete control over your account: she can read and modify your files, watch the programs you're running, etc. IMHO, that is a perfectly reasonable use of the term "remotely exploitable". The attack is to e-mail malicious content to a naive user, hence the "remote" and "exploit". In my experience, this is also compliant with standard usage. When IE has a buffer overflow that can be exploited by carefully crafted HTML in an email or web page, do we call that "remotely exploitable"? Yes, actually, we do. How about those viruses that spread as password-protected zip files attached to emails? They are also remote exploits. The user has to click them and then enter the password before they're activated? Aren't those "viruses" or "trojans"? The viruses are distinguished from the worms in that the viruses require naive user action to propagate (click this here, use the "password" there, etc.) while the worms propagate without user intervention. But both are remote exploits. If they exploited notepad.exe when they activated would we announce a "remote exploit" on notepad.exe? They exploit a buffer overflow in local software, but they require action by the user before they can activate. The difference between a local and a remote exploit, in this context, is that a local exploit requires overt action on the part of the user, e.g. take these 7 steps to perform the local exploit. A remote exploit can include malicious content that you can e-mail to a naive user and reasonably expect them to do what is required to perform the exploit, such as "click on the attachment". Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com
Current thread:
- [Fwd: DJB's students release 44 *nix software vulnerability advisories] Gadi Evron (Dec 18)
- Re: DJB's students release 44 poorly-worded, overblown advisories Paco Hope (Dec 20)
- Re: DJB's students release 44 poorly-worded, overblown advisories ljknews (Dec 20)
- Re: Re: DJB's students release 44 poorly-worded, overblown advisories Crispin Cowan (Dec 22)
- Re: Re: DJB's students release 44 poorly-worded, overblown advisories ljknews (Dec 22)
- Re: DJB's students release 44 poorly-worded, overblown advisories ljknews (Dec 20)
- Re: Re: DJB's students release 44 poorly-worded, overblown advisories Crispin Cowan (Dec 20)
- Re: Re: DJB's students release 44 poorly-worded, overblownadvisories Paco Hope (Dec 20)
- Re: Re: DJB's students release 44 poorly-worded, overblown advisories Crispin Cowan (Dec 22)
- Re: DJB's students release 44 poorly-worded, overblown advisories Paco Hope (Dec 20)
- Re: DJB's students release 44 poorly-worded, overblown advisories dtalk-ml (Dec 20)
- <Possible follow-ups>
- RE: [Fwd: DJB's students release 44 *nix software vulnerability advisories] Shea, Brian A (Dec 20)
- RE: [Fwd: DJB's students release 44 *nix software vulnerability advisories] ljknews (Dec 20)
- Re: [Fwd: DJB's students release 44 *nix software vulnerability advisories] Crispin Cowan (Dec 21)