[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Level of Abstraction Issue: Similar Applications, "Same" Vulnerability

>would be basing our decisions on observable characteristics.  With
>codebase", we have as you note some similar problems, plus too often we
>not have access to the actual code and therefore will have to base feed
>fuzzy (or whatever) decision process with guesses, thus compounding our

If we take the existing definition;

NT users can gain debug-level access on a system process using the
Sechole exploit.

and apply the "same attack" approach to it, then anything that can allow
an NT user to gain debug-level access on a system process would be
considered the same as SecHole. Doesn't matter how they got it, where
they got it, or what process they got it from.

If we don't do some level of scrutiny, either on the codebase for the
attack, or the codebase of the vulnerable system, this is all we're left
with. Unless of course you decide we're only going to enumerate
network-based attacks and we're using the packet signature to define the
attack (for the purposes of comparing to other attacks). That would be,
however, a Common Attack Enumeration, not vulnerability enumeration.

Even then, we should not preclude the observation of available details
simply because they may not be widely available. The evolution of the
enumeration of species has been based on observable details, and as more
details became available, definitions were revised accordingly
(sometimes correctly, sometimes incorrectly).

While we may not be at the stage of Socrates, we're nowhere near DNA
testing or even the Dewie Decimal System.

If you want something that's simple, has fewer entries, and is less
subject to criticism, I'll shut up.

If instead you want to actually enumerate unique vulnerabilities, then
to make the decision in the beginning to preclude some verifiable data
(not conjecture or opinion) from the determination process is simply
flawed. Its just as flawed to presume there is a network signature to

Out of curiosity, what does the group see as being an "average"
Candidate announcement? I can see us having to "guess" within the first
few days, but after that (and likely before we reach CVE status),
details of "most" vulnerabilities are going to include codebase details.

Russ - NTBugtraq Editor

Page Last Updated or Reviewed: May 22, 2007