COUNTEREXPLOITATION SECURITY ADVISORY - 4/1/2006
===============================

Remote Incorrection Vulnerability Affects Textual Internet Documents

  Severity: Normal
     Title: Remote Incorrection Vulnerability Affects Textual Internet Documents
      Date: April 1, 2006
        ID: 200603-22

Exploit Description:
CounterExploitation has identified a class of security vulnerabilities affecting textual materials. This flaw affects all classes of document containing factual text, in all known languages. The flaw originates from the improper handling of time-sensitive or externally-variable data within the document. By exploiting the occurrence of time-invariant verbs such as "has", "contains", or "displays" present in the original document, an attacker with physical access to the verbs' objects can remotely cause portions of the document to become incorrect. We have witnessed a number of successful executions of this attack, particularly against researchers documenting the behaviors of malicious commercial software.

Symptoms:
In and of itself, successful execution of such an attack remotely produces no visible indication of the attack. However, this type of attack is frequently followed by a letter from a legal team operating in conjunction with the attacker. Successful execution of a remote-incorrection attack allows the attacker, or allies thereof, to claim that the exploited documents contain false and misleading information.

Workaround/Fix:
Due to the myriad ways in which the attack can be executed, there is no specific patch to address it. However, document authors can mitigate the threat by following proper coding practices for new documents, and identifying and correcting any unchecked verbs in already existing documents. In most cases, documents can be hardened against this type of attack with only minimal code changes.

Example:
The following are some examples of textual materials vulnerable to a remote-incorrection attack:

"This software transmits email addresses and a list of web sites visited."
"The current version displays pornographic pop-up advertising."
"This product is known in the State of California to cause cancer in laboratory animals."

The threat can be mitigated by replacing or qualifying time-invariant verbs as follows:

"The copy of this software we tested transmitted email addresses and a list of web sites visited."
"Version 6.01 displays pornographic pop-up advertising."
"This product was found by the State of California to cause glowing reviews when tested on laboratory animals."

After hardening documents against this attack, authors of affected works are strongly encouraged to issue the updated versions to users and third-parties who independently (whether or not with your knowledge) republish vulnerable copies of the affected work.

==========
J. L. Morgandorfer
2006-04-01
Security Team, CounterExploitation
http://www.cexx.org/