James Longstreet wrote: > On Jul 14, 2005, at 9:39 PM, Derek Martin wrote: > > >> This kind of attack has a name already: it is a trojan horse. > <snip> > >> But is this a remote exploit? > > No, it's not an exploit at all. Systems are not vulnerable to it > unless a local user runs an executable. The only thing it exploits > is trust of email (or similar vector). But it is a remote *attack*. There is no other word for it than "remote" when the attacker is not local. Which is not to say that the distinction Derek raised is invalid; there certainly is a semantic difference between an attack delivered by an e-mail, which does nothing until the user reads it or clicks on something, and a traditional remote attack where the attacker exploits a flaw in a program that is listening. Such a program typically is a server (BIND, Apache, Sendmail) but could also be a client (Gaim). Pushing the boundaries, the program could be a web browser, where the attack does happen immediately, does not involve a Trojan, but does still require the user to do something like click a particular URL. So what we have is a very complicated space full of adjectives: * Attack: doing bad stuff to someone else's stuff. * Vulnerability: an unfortunate software flaw or configuration that enables an attack. It might be very specific, such as a buffer overflow vulnerability in a particular program, or it might be very general, such as "running Outlook with administrator privilege". * Exploit: software that automates attacking a vulnerability. o *Note:* by this definition, an e-mail virus that leverages the common fact that many users run Outlook as administrator is in fact an "exploit", even if it is a weak one. * Remote: attacker is over there somewhere, usually across some kind of network. * Local: attacker and victim are connected to the same computer. o *Note:* in common parlance, this usually means that the attacker must compose a local vulnerability with some other vulnerability that will get them a login shell on the machine to be attacked, or must be granted legitimate access to the machine. These terms are all commonly used in Bugtraq discussions, and I believe these definitions follow common usage. Using these terms precisely is important. Yet none of them capture the distinction Derek pointed out, and so perhaps we need a new term. We could say that attacks against connected programs like BIND and Gaim are "synchronous" and attacks that involve sending now for impact later such as e-mailed malware are "asynchronous". Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ Director of Software Engineering, Novell http://novell.com