being sent a sketchy file and then asked to click on a link in it isn't "remote" code execution actually
-
being sent a sketchy file and then asked to click on a link in it isn't "remote" code execution actually
-
being sent a sketchy file and then asked to click on a link in it isn't "remote" code execution actually
@invoxiplaygames.uk i was thinking about this for a while and I think my opinion is that it's ok to call it RCE (you're tricking the user into downloading and running remote code) because we currently lack taxonomic specificity around the "it's an interactive trick based on subverting user expectations, not traditional RCE" aspect of it.
the key problem is calling this class of document-based code execution bugs "remote", when the actual exploitation vector is inherently filesystem-local.
-
@invoxiplaygames.uk i was thinking about this for a while and I think my opinion is that it's ok to call it RCE (you're tricking the user into downloading and running remote code) because we currently lack taxonomic specificity around the "it's an interactive trick based on subverting user expectations, not traditional RCE" aspect of it.
the key problem is calling this class of document-based code execution bugs "remote", when the actual exploitation vector is inherently filesystem-local.
@gsuberland @invoxiplaygames.uk Calling this RCE is at least consistent with MS's own taxonomy (see previous Office vulns). CVSS UI:R is also a meaningful datapoint for those parsing their feed. -
R relay@relay.infosec.exchange shared this topic
