03-01-2009, 10:32 AM
This NIST draft dated 27 Feb 2009 (still in final comment phase) is an excellent software engineering resource. The documement, The Common Misuse Scoring System (CMSS): Metrics for Software Feature Misuse Vulnerabilities can be summed up by this definition provided within the document:
A software feature misuse vulnerability is caused by the software designer making trust assumptions that permit the software to provide a beneficial feature, while also introducing the possibility of someone violating the trust assumptions to compromise security. For example, email client software may contain a feature that renders HTML content in email messages. An attacker could craft a fraudulent email message that contains hyperlinks that, when rendered in HTML, appear to the recipient to be benign, but actually take the recipient to a malicious web site when they are clicked on. One of the trust assumptions in the design of the HTML content rendering feature was that users would not receive malicious hyperlinks and click on them.
A software feature misuse vulnerability is caused by the software designer making trust assumptions that permit the software to provide a beneficial feature, while also introducing the possibility of someone violating the trust assumptions to compromise security. For example, email client software may contain a feature that renders HTML content in email messages. An attacker could craft a fraudulent email message that contains hyperlinks that, when rendered in HTML, appear to the recipient to be benign, but actually take the recipient to a malicious web site when they are clicked on. One of the trust assumptions in the design of the HTML content rendering feature was that users would not receive malicious hyperlinks and click on them.