[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MODIFY-01 cluster: 25 CERT candidates moved to MODIFICATION phase

Adam Shostack asked me the following question, which touches on a
potentially delicate issue that nonetheless should be addressed sooner
rather than later.  Quiet people may want to pipe up on this one ;-)

| Candidate: CAN-1999-0004
| Published: 
| Final-Decision: 
| Interim-Decision: 
| Modified: 19990621-01
| Announced: 19990607
| Assigned: 19990607
| Category: SF
| Reference: CERT:CA-98.10.mime_buffer_overflows
| Reference: XF:outlook-long-name
| Reference: SUN:00175
| MIME buffer overflow in email clients, e.g. Solaris mailtool
| and Outlook.
| Modifications:
|   ADDREF MS:MS98-008
|   DESC include Outlook

>It occurs to me that there may be a [level of abstraction] issue
>here. Why are we grouping all mailtools into one entry?  If we choose
>to do this, we need to add at least Eudora as well.  Its fairly clear
>to me that these are distinct.

I see how you think this could be an LOA (level of abstraction) issue.
There are multiple applications affected.

>From my perspective, we shouldn't divide this into separate
vulnerabilities because:
  - the same "exploit" would work on any of these applications
    (modulo the OS the application is on)
  - the bug occurs in multiple applications, but these applications
    all do the same thing (i.e. process email)
  - the bug is in the same functional component/specific "operation"
    of the applications, i.e. the MIME conversion
  - the bug has been discovered in each application at (basically)
    the same time

To me, this is the same implementation flaw, spread across different
implementations of the same type of application, so this is the
appropriate LOA to use.  (Er, I suppose I could have written that
better).  Do people agree with this perspective?

Note that the description singles out mailtool and Outlook, ignoring
the other applications that are affected.  Assuming we agree on the
LOA, should the description be modified to list all affected clients?

- Steve

Page Last Updated or Reviewed: May 22, 2007