Re: Re: DJB's students release 44 poorly-worded, overblown advisories

[Crispin Cowan <crispin () immunix com>]

Paco Hope wrote:


Bernstein has a history of being inflammatory, and in this case I think he
has done the whole security community a disservice. He has called everything
a "remotely exploitable security hole" even when exploiting it requires
explicit user actions. He's playing fast and loose with terminology, which
can't help anybody.
 


Hmmm ...


Somebody¹s gotta come up with a  reasonable definition of "remotely
exploitable." Consider the following statement:
 


Limin Wang has discovered two remotely exploitable security holes in
abc2midi. http://tigger.uic.edu/~jlongs2/holes/abc2midi.txt
   



If you read the exploit description, he says:
 


You are at risk if you take an ABC file from an email message (or a web
page or any other source that could be controlled by an attacker) and
feed that file through abc2midi. Whoever provides the ABC file then has
complete control over your account: she can read and modify your files,
watch the programs you're running, etc.
   

IMHO, that is a perfectly reasonable use of the term "remotely 
exploitable". The attack is to e-mail malicious content to a naive user, 
hence the "remote" and "exploit". In my experience, this is also 
compliant with standard usage.



When IE has a buffer overflow that can be exploited by carefully crafted
HTML in an email or web page, do we call that "remotely exploitable"?


Yes, actually, we do.


How
about those viruses that spread as password-protected zip files attached to
emails?


They are also remote exploits.


The user has to click them and then enter the password before
they're activated? Aren't those "viruses" or "trojans"? 

The viruses are distinguished from the worms in that the viruses require 
naive user action to propagate (click this here, use the "password" 
there, etc.) while the worms propagate without user intervention. But 
both are remote exploits.



If they exploited
notepad.exe when they activated would we announce a "remote exploit" on
notepad.exe? They exploit a buffer overflow in local software, but they
require action by the user before they can activate.
 

The difference between a local and a remote exploit, in this context, is 
that a local exploit requires overt action on the part of the user, e.g. 
take these 7 steps to perform the local exploit. A remote exploit can 
include malicious content that you can e-mail to a naive user and 
reasonably expect them to do what is required to perform the exploit, 
such as "click on the attachment".


Crispin

--
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com