K. Reid Wightman :verified: 🌻
:donor: :clippy:@reverseics@infosec.exchange
@cR0w@infosec.exchange Yeah. I seem to remember some supernerd friends having this argument about email a long time ago. Whether it's considered AV:N and UI:R or not.
I say 'yes' to both because the CVSS specification says that UI includes a "user-initiated process".
By default, Outlook does not start on a computer until the user at minimum logs in to the computer (usually they have to start Outlook manually to boot), which initiate the process.
Reading the CVSS spec is hard though, let's go shopping.
cR0w@cR0w@infosec.exchange
@reverseics@infosec.exchange I agree with your take. Luckily, the nuance is handled by analysts who are capable of thinking and not by just the scores, right?
Oh.