Remote Incorrection Vulnerability Affects Textual Internet Documents

  Severity: Normal
Title: Remote Incorrection Vulnerability Affects Textual Internet Documents
Date: April 1, 2006
ID: 200603-22

Exploit Description:
CounterExploitation has identified a class of security vulnerabilities affecting textual materials. This flaw affects all classes of document containing factual text, in all known languages. The flaw originates from the improper handling of time-sensitive or externally-variable data within the document. By exploiting the occurrence of time-invariant verbs such as "has", "contains", or "displays" present in the original document, an attacker with physical access to the verbs' objects can remotely cause portions of the document to become incorrect. We have witnessed a number of successful executions of this attack, particularly against researchers documenting the behaviors of malicious commercial software.

In and of itself, successful execution of such an attack remotely produces no visible indication of the attack. However, this type of attack is frequently followed by a letter from a legal team operating in conjunction with the attacker. Successful execution of a remote-incorrection attack allows the attacker, or allies thereof, to claim that the exploited documents contain false and misleading information.

Due to the myriad ways in which the attack can be executed, there is no specific patch to address it. However, document authors can mitigate the threat by following proper coding practices for new documents, and identifying and correcting any unchecked verbs in already existing documents. In most cases, documents can be hardened against this type of attack with only minimal code changes.

The following are some examples of textual materials vulnerable to a remote-incorrection attack:
The threat can be mitigated by replacing or qualifying time-invariant verbs as follows:
After hardening documents against this attack, authors of affected works are strongly encouraged to issue the updated versions to users and third-parties who independently (whether or not with your knowledge) republish vulnerable copies of the affected work.

J. L. Morgandorfer
Security Team, CounterExploitation