Steven M. Christey
coley at mitre.org
Thu Aug 10 21:38:21 EDT 2006
I forgot to tell VIM that CVE is now using the "user-assisted" term to
handle the (usually client-side) cases in which the victim must
manuually or non-automatically receive a malicious payload and
activate it. This is much better than the crude "user-complicit" term
we were using before.
Note that since I've started thinking more heavily about this, there
are still cases in which the typical attack vectors would be remote or
local; e.g. if the application is a chat client and the victim has to
approve an "add friend" request from the attacker, the channel is
still remote. I'm still figuring things out, though.
Some CVE analysts have tried to use the term to account for cases in
which because the user must be "tricked" into visiting a web page or
clicking on a link, especially for web browser vulns. However, I'm
currently of the opinion that these do *not* fall under the
"user-assisted" label because in the Internet environment, most
web-based attack scenarios can be automated (e.g. through XSS/HTML
injection), and/or the simple act of clicking on a link is so
fundamental to web browsing. On the other hand, an exploit that
requires the victim to drag-and-drop certain icons to activate a
payload would be user-assisted in my book.
In conclusion, this eases the terminological pain, but it doesn't fix
P.S. credit to Gadi Evron for suggesting the term.
More information about the VIM