Re: MODIFY-01 cluster: 25 CERT candidates moved to MODIFICATION phase
On Wed, Jun 23, 1999 at 01:40:22PM -0400, Steven M. Christey wrote:
> Adam Shostack asked me the following question, which touches on a
> potentially delicate issue that nonetheless should be addressed sooner
> rather than later. Quiet people may want to pipe up on this one ;-)
Sorry I haven't been of much help. Been busy with other thing
and will probably continue to be so for the next week or so.
> I see how you think this could be an LOA (level of abstraction) issue.
> There are multiple applications affected.
> From my perspective, we shouldn't divide this into separate
> vulnerabilities because:
> - the same "exploit" would work on any of these applications
> (modulo the OS the application is on)
> - the bug occurs in multiple applications, but these applications
> all do the same thing (i.e. process email)
> - the bug is in the same functional component/specific "operation"
> of the applications, i.e. the MIME conversion
> - the bug has been discovered in each application at (basically)
> the same time
> To me, this is the same implementation flaw, spread across different
> implementations of the same type of application, so this is the
> appropriate LOA to use. (Er, I suppose I could have written that
> better). Do people agree with this perspective?
I agree with Steve given the factors he list (vulnerability in
modules that are functionally equivalent and are discovered
roughly at the same time). But we definetly want to keep an eye
for what Adam is talking about. Otherwise we should just create
a "Buffer Overflow Vulnerability" entry and list eveything there.
Another example, the AIX & Linux -froot vulnerability. Different code,
> Note that the description singles out mailtool and Outlook, ignoring
> the other applications that are affected. Assuming we agree on the
> LOA, should the description be modified to list all affected clients?
> - Steve
Aleph One / email@example.com
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01