Re: [Full-disclosure] When is it valid to claim that a vulnerability leads to a remote attack?



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On Fri, 09 Oct 2009 10:24:02 -0400 Paul Schmehl
<pschmehl_lists@xxxxxxxxx> wrote:
--On Thursday, October 08, 2009 22:16:01 -0500 Jonathan Leffler
<jleffler@xxxxxxxxxx> wrote:


A reputable security defect reporting organization is claiming
that a Windows
program is subject to a remote attack because:

* The vulnerable program (call it 'pqrminder') is registered as
the 'handler'
for files with a specific extension (call it '.pqr').
* If the user downloads a '.pqr' file (or is sent on in the mail
and clicks
on it), then 'pqrminder' is invoked.
* If the file is malformed, then arbitrary code can be executed
(buffer
overflow).

While recognizing that there is a bug here, that does not strike
me as being
what is normally meant by a 'remote attack'.

In fact it's very typical of the types of attacks we see every day
now. By far
the most routinely successful attacks now are initiated through
some sort of
social engineering trick that requires user interaction to trigger
the
compromise.

If by remote you mean "live interaction by the hacker at the point
of attack"
(as in a "traditional" hack), then no, it's not a remote attack.
I think the
more normal undertstanding of remote attack (although it's usually
worded
remote compromise) is that the result of a successful attack is
the opening of
a gateway that can lead to additional compromise or complete
takeover of a
machine. Given the details you've offered, think this qualifies
as
"potentially leading to a remote compromise" of a machine.

The attack begins when the unsuspecting user clicks on a link to
either open an
attachment or view a webpage or video. In the background the
compromise takes
place, after which the malicious software "phones home", downloads
additional
tools, etc. until the host is completely and utterly compromised.

--
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Think Adobe Acrobat, most of the issues had to do with file
parsing(JBIG2 comes to mind), and the drive by campaigns exploiting
the issue(s) were probably quite successful...

elazar
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkrPdoYACgkQi04xwClgpZjcogP7B3C79Hr+0RJe9z0Ds9qO8ReKJIkB
OLfm5QuifgEuz7Z/4mX2k0ZMqGkqJT3rBE2sR82vrTR2vNK0pMnoNxIy/V71MXBmdZqE
PpXssC5LBRgWD29jFWeBIC0ORTrBZJ1+lcg3dmx9mYlr3moKk9yE3+GXg5Jds2vZvgDy
OUqnnyk=
=LCG2
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/