Vulnerability Classification Terminology

[This was originally published on the OSVDB blog.]

Local or remote, seems so simple when classifying a vulnerability. The last few years have really thrown this simple distinction for a loop. Think of a vulnerability that occurs when processing a file, such as a browser rendering a JPG or GIF, or a program like Adobe Reader processing a PDF file. On one hand, you could argue that a browser has to remotely load an image or a user must e-mail a PDF to be opened. On the other hand, what happens when the malformed file is given to you on a floppy disk? What if you are using MSIE to locally browse files on the hard disk? It’s not that local or remote are *wrong*, just not descriptive enough.

This debate has popped up on mail lists in the past year, and has been discussed at every VDB I guarantee you. After a couple years of discussing it internally at OSVDB, we haven’t been able to come up with a better classification scheme. Why? Everything we come up with is just as non-descript or overly complex. We can’t seem to find a good middle ground to cover such distinctions.

Recently, Steven Christey of CVE has come up with a middle ground and begun using it in some entries. For attacks that require external help to somehow deliver hostile material to a victim, he has begun using “external user-complicit attackers” and it seems to be a good fit.


Leave a Reply

%d bloggers like this: