Re: DJB's students release 44 *nix software vulnerability advisories

[Crispin Cowan <crispin () immunix com>]

Steven M. Christey wrote:

> In addition to modeling the level of authentication needed, I've been
> thinking that it might also be important to note how much user/victim
> participation is required for activation of the exploit, i.e. whether
> the issue can be automatically exploited by normal user activity
> (e.g. by simply reading an email message) or whether there's some
> social engineering involved.  However, I haven't put much thought into
> terminology for this besides:
>
>  - automatic: exploit is automatically activated as a result of
>    normal usage of the product
>  
I call this class "worms", or more grammatically a class of remote 
vulnerabilities subject to worm attack. where the malware can propagate 
unassisted.

>  - complicit: requires some victim participation or inaction
>  
I call this class "viruses, same grammar hack as above. These require 
the victim to click on something, or such like, before the malware can 
propagate.

>  - opportunistic: can not really control when, or if, the victim
>    activates the exploit
>  
I'm having a hard time seeing the difference between "complicit" and 
"opportunistic".

Crispin

--
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com