COUNTEREXPLOITATION SECURITY ADVISORY - 4/1/2006
===============================
Remote Incorrection Vulnerability Affects Textual Internet Documents
Severity: Normal
Title: Remote Incorrection Vulnerability Affects Textual Internet Documents
Date: April 1, 2006
ID: 200603-22
Exploit Description:
CounterExploitation has identified a class of security vulnerabilities
affecting textual materials. This flaw affects all classes of document
containing factual text, in all known languages. The flaw originates
from the improper handling of time-sensitive or externally-variable
data within the document. By exploiting the occurrence of
time-invariant verbs such as "has", "contains", or "displays" present
in the original document, an attacker with physical access to the
verbs' objects can remotely cause portions of the document to become
incorrect. We have witnessed a number of successful executions of this
attack, particularly against researchers documenting the behaviors of
malicious commercial software.
Symptoms:
In and of itself, successful execution of such an attack remotely
produces no visible indication of the attack. However, this type of
attack is frequently followed by a letter from a legal team operating
in conjunction with the attacker. Successful execution of a
remote-incorrection attack allows the attacker, or allies thereof, to
claim that the exploited documents contain false and misleading
information.
Workaround/Fix:
Due to the myriad ways in which the attack can be executed, there is no
specific patch to address it. However, document authors can mitigate
the threat by following proper coding practices for new documents, and
identifying and correcting any unchecked verbs in already existing
documents. In most cases, documents can be hardened against this type
of attack with only minimal code changes.
Example:
The following are some examples of textual materials vulnerable to a remote-incorrection attack:
- "This software transmits email addresses and a list of web sites visited."
- "The current version displays pornographic pop-up advertising."
- "This product is known in the State of California to cause cancer in laboratory animals."
The threat can be mitigated by replacing or qualifying time-invariant verbs as follows:
- "The copy of this software we tested transmitted email addresses and a list of web sites visited."
- "Version 6.01 displays pornographic pop-up advertising."
- "This product was found by the State of California to cause glowing reviews when tested on laboratory animals."
After hardening documents against this attack, authors of affected
works are strongly encouraged to issue the updated versions to users
and third-parties who independently (whether or not with your
knowledge) republish vulnerable copies of the affected work.
==========
J. L. Morgandorfer
2006-04-01
Security Team, CounterExploitation
http://www.cexx.org/