Re: DJB's students release 44 *nix software vulnerability advisories

["Steven M. Christey" <coley () mitre org>]

> > And this nasm bug is then called a "remotely exploitable 
> > security hole".
>
> Obviously it is not. I don't think it is even locally exploitable.

Many of the DJB-reported issues deal with exploitation of errors in
parsers or converters for specific file formats.  Many files are
typically "shared," such as images, text documents, data exchange
formats, and so on.  So, there can be vectors in which the attacker
can send a crafted file across network-based channels - web, email,
whatever - that then could conceivably be processed by the user,
either manually or automatically.

Granted, this is a different scenario than might be encountered in
what's typically labeled a "remotely exploitable" vulnerability, but I
haven't seen any emerging terminology that's been able to make this
reasonable distinction.  However, with the growing researcher interest
in finding vulnerabilities based on irregularities in file formats,
the need for better terminology is growing.

In addition to modeling the level of authentication needed, I've been
thinking that it might also be important to note how much user/victim
participation is required for activation of the exploit, i.e. whether
the issue can be automatically exploited by normal user activity
(e.g. by simply reading an email message) or whether there's some
social engineering involved.  However, I haven't put much thought into
terminology for this besides:

  - automatic: exploit is automatically activated as a result of
    normal usage of the product

  - complicit: requires some victim participation or inaction

  - opportunistic: can not really control when, or if, the victim
    activates the exploit

Exploitation of web or email client vulnerabilities that happen as
soon as someone reads a message might be called "automatic," e.g. if
there's a buffer overflow when preparing a preview of the message.  If
the user needs to click on a button or two, e.g. to extract something
whose icon shows as a JPG when in fact it's an executable, that might
be "complicit."  If you insert terminal escape sequences into some log
file in the hopes that an admin accidentally runs "more" or "grep" on
that log file from the proper terminal, then that might be
"opportunistic."  Phishing might be regarded as either automatic or
complicit, depending on whether or not you think web client users
should check their browser's status bar every time they click on a
link.  Again, though, these are just rough ideas.

- Steve