<<< Date Index >>>     <<< Thread Index >>>

Re: Finjan Security Advisory: Microsoft Office XP Remote Buffer Overflow Vulnerability



On Wed, Feb 09, 2005 at 02:18:45AM +0200, Rafel Ivgi wrote:
> Finjan Security Advisory
> Microsoft Office XP Remote Buffer Overflow Vulnerability
> 
> Introduction
> 
> Finjan has discovered a new vulnerability in Microsoft Word
> XP that would allow a hacker to launch a buffer overflow attack.
> This attack could occur when a user opened a Word document using
> Internet Explorer.

Then it would seem that the hacker isn't "launching" an attack at
all...  It's the user who unknowingly opens a malicious document who
is the direct cause of the exploit.  The hacker merely passively
provides the user with an opportunity to harm themselves...

I'm not trying to say that this isn't a bug, or that it shouldn't be
addressed; but by calling it a "Remote Buffer Overflow Vulnerability"
I think you're ascribing a higher severity to the problem than is
really warranted.  We normally use "remote exploit" and similar
expressions to refer to an active attack instigated by an attacker who
is using a machine which is different from the target machine. The
attack is carried out by actively connecting to the target.

Whereas this bug requires direct action by a local user, it is a very
different kind of attack; it is a passive attack.  A user can minimize
the chances of being affected by this kind of problem simply by being
prudent about downloading word documents only from trusted sources.
[This is not to say that the risks are necessarily negated in all
cases; but they can at least be significantly mitigated.] By contrast,
one can only protect oneself from an active remote attack by
discovering that they are running vulnerable software, and taking it
out of harm's way (either by upgrading or by not running it at all).

Since the most common exploits these days have both local and remote
elements, perhaps we should stop trying to think about these as local
or remote, but instead active or passive.  The active exploit is
active on both sides; it requires an active attack, or direct action,
on the part of the attacker.  Defending against it also requires
action on the part of the target (i.e. upgrading vulnerable software).
The passive attack, once the attacker has provided an /opportunity/
for victims to harm themselves, requires no direct action on the part
of the attacker.  We can not even call the victim a target, because
that implies that they have been chosen in some way.  But in a passive
attack, the attacker merely gets whoever drops by.  Defending against
this kind of attack likewise requires no action on the part of the
user; they need only choose NOT to download the malicious payload
(i.e. do nothing).

This bug which you are reporting is a passive attack which occurs
through the direct action of the user, not the attacker. While it
is of concern, I think is not as severe or risky as what we normally
think of as a remote buffer overflow.

-- 
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0x81CFE75D

Attachment: pgpTZ4oz5SzgD.pgp
Description: PGP signature