On Wed, Feb 09, 2005 at 02:18:45AM +0200, Rafel Ivgi wrote: > Finjan Security Advisory > Microsoft Office XP Remote Buffer Overflow Vulnerability > > Introduction > > Finjan has discovered a new vulnerability in Microsoft Word > XP that would allow a hacker to launch a buffer overflow attack. > This attack could occur when a user opened a Word document using > Internet Explorer. Then it would seem that the hacker isn't "launching" an attack at all... It's the user who unknowingly opens a malicious document who is the direct cause of the exploit. The hacker merely passively provides the user with an opportunity to harm themselves... I'm not trying to say that this isn't a bug, or that it shouldn't be addressed; but by calling it a "Remote Buffer Overflow Vulnerability" I think you're ascribing a higher severity to the problem than is really warranted. We normally use "remote exploit" and similar expressions to refer to an active attack instigated by an attacker who is using a machine which is different from the target machine. The attack is carried out by actively connecting to the target. Whereas this bug requires direct action by a local user, it is a very different kind of attack; it is a passive attack. A user can minimize the chances of being affected by this kind of problem simply by being prudent about downloading word documents only from trusted sources. [This is not to say that the risks are necessarily negated in all cases; but they can at least be significantly mitigated.] By contrast, one can only protect oneself from an active remote attack by discovering that they are running vulnerable software, and taking it out of harm's way (either by upgrading or by not running it at all). Since the most common exploits these days have both local and remote elements, perhaps we should stop trying to think about these as local or remote, but instead active or passive. The active exploit is active on both sides; it requires an active attack, or direct action, on the part of the attacker. Defending against it also requires action on the part of the target (i.e. upgrading vulnerable software). The passive attack, once the attacker has provided an /opportunity/ for victims to harm themselves, requires no direct action on the part of the attacker. We can not even call the victim a target, because that implies that they have been chosen in some way. But in a passive attack, the attacker merely gets whoever drops by. Defending against this kind of attack likewise requires no action on the part of the user; they need only choose NOT to download the malicious payload (i.e. do nothing). This bug which you are reporting is a passive attack which occurs through the direct action of the user, not the attacker. While it is of concern, I think is not as severe or risky as what we normally think of as a remote buffer overflow. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D
Attachment:
pgpTZ4oz5SzgD.pgp
Description: PGP signature