Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: show attack vectors and file associations for risk assessment

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as locked.
dabruro show attack vectors and file associations for risk assessment
Member 8th Jul, 2009 02:47
Ranking: 0
Posts: 4
User Since: 28th Jan, 2008
System Score: 96%
Location: US
Often PSI flags an old version of Java or Quicktime which is installed *within* another product. If nothing except that product invokes it, then there should be very little risk, depending on the method of attack that it would be vulnerable to. Can't PSI tell me this?

If having file types (or protocols) associated with a given product installation enables attacks, then why can't PSI tell me what file extensions/protocols are associated with the vulnerable product?

Or if it is a more direct remote vulnerability (as in a web browser), I'd like to know that as well.

--
D Rosen

Anthony Wells RE: show attack vectors and file associations for risk assessment
Expert Contributor 8th Jul, 2009 18:14
Score: 2445
Posts: 3,334
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 8th Jul, 2009 18:19


Open Office at one time used an out of date/insecure version of Java & insisted on reinstalling it when I tried to get rid of it !!
A very nice (important) guy at Sun/OO.org took the time & trouble to explain the rationale & risks involved ; but he could not decide for me whether to run OO as it was or wait for an updated version to appear. I decided to run it , as it was .

I "think" Secunia on it's own would be hard pressed to go through all the if's and maybe's in all the cases that depend on so many imponderables . If you're lucky the suppliers' support may give you enough info to specify your question to Secunia "support" if you have a specific case in mind . It would have to be up to you then to make an "educated" guess.

You never know , Secunia certainly take on board what is raised here .

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
dabruro RE: show attack vectors and file associations for risk assessment
Member 9th Jul, 2009 03:00
Score: 0
Posts: 4
User Since: 28th Jan 2008
System Score: 96%
Location: US
"Imponderables" aside, there's a big difference between having a vulnerable Java and Quicktime installed and used as plugins in your browser and associated with file types such as .mov and .jnlp (or corresponding mime types), vs. merely having an old version of those products existing somewhere on your hard drive and perhaps invoked by a particular product for its own purposes. Of course "its own purposes" might involve opening possibly malicious files (e.g. OpenOffice being used to open documents etc.) and thus exercising the vulnerability...

For any given vulnerable program, if PSI could just tell us about any known ways in which this may be invoked automatically -- e.g. OS file or protocol associations, mime type associations within mail clients & web browsers, links in a start menu or elsewhere, and usage as a plugin or within a browser or some other product) -- it would be a lot better than nothing.

And while we're at it, tell us whether that method of invoking it is known to be capable/incapable of exploiting the vulnerability (e.g. if the vulnerability only occurs in the context of embedded content in a web page, vs opening a file locally...)

And this would be getting really fancy, but perhaps provide an option to intercept/confirm or change the association for a still-vulnerable app.

For example if I have a vulnerable version of MS Word installed (perhaps there isn't even a patch yet for it), any associations that invoke it could first invoke a wrapper giving a warning and offering to open it in Word Viewer or OpenOffice instead, or even to open it in MS Word but inside a sandbox...

--
D Rosen
Was this reply relevant?
+0
-0
Anthony Wells RE: show attack vectors and file associations for risk assessment
Expert Contributor 9th Jul, 2009 12:21
Score: 2445
Posts: 3,334
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 9th Jul, 2009 12:29
I'm a non-techie , so I see it this way:-

1) I understand you first paragraph as it relates to my experience & the specific info OO very kindly gave me .
2) I don't agree at all that something is better than nothing ; believe me , a little knowledge really can be a dangerous thing !!
3) All the bits of knowledge collected/offered would need to take in to account the infinite range of techie ability receiving it
4) How much would you pay the Secunia chap to do the research & say yes it's OK or not - and how would the bad guys react to this info being "in the wild" ?? And what if Secunia was just plain wrong ??
5)In your last para , how many associations are/could there be ??

I'm not a "luddite" , but "KISS" also has it's merits & I'm sure that once Secunia get a few more of the unwashed into the shower ; maybe they'll have time to go where you suggest . That may help some , just as long as they keep it free for me !!

Take care
Anthony

PS: re your very last point , I use a sandbox whenever & wherever - saved me from great anguish . Chrome seems to be going in this direction (hopefully:-o))


--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer