Re: [Full-disclosure] Apple Safari ... DoS Vulnerability


Hi,

Michal with all due respect I'd like to beg to differ (and maybe be
too nitpicky here).

MZ> Vulnerabilities are a subset of software engineering bugs.
I do not think this is the case (lack of the term software). How's
this for being nitpicky ? ;)

In my book, maybe only in mine, a software bug is security relevant
(sorry for the lack of clarity - it's late over here) as soon as
Integrity / Availabilty / Confidentiality are under arbritary direct
or indirect control of a another entity (i.e attacker). Period,
personaly this represents the ultima ratio

After this - it's just a measure of _how much_. And the question of how much
is a completely other one.

Example
If a chrome tab can be crashed arbritarely (remotely) it is a DoS attack
but with ridiculy low impact to the end-user as it only crashes the tab
it was subjected to, and not the whole browser or operation system.
But the fact remains that this was the impact of a DoS condition,
the tab crashes arbritarily.


MZ> As the name
MZ> implies, they are defined strictly by the impact they have; if a bug
MZ> does not render the victim appreciably susceptible to anything that
MZ> would be of value to external attackers, it is not a security problem.
You define vulnerability like a boolean that is true when the impact is of
value to the attacker. "would be of value to external attacker" - I
cleary disgress, I don't think that a the nature/ of a bug
(vulnerability) can be defined by the "value" it has for the attacker.
What about damage to the victim ? What about lost revenue, agreement
breaches etc pp. I'd not recommend to measure security from the perspective
of the attacker, but rather the (potential) loss of the entity that tries to
measure.

MZ> Anyway... bottom line is, any attempts to formalize the criteria are
MZ> bound to fail (and have mostly failed in the past), and common sense
MZ> is the best tool we have.

If we want to arrive at a state where risk can be managed, it needs
to be measured. And if we aren't that far in 2009 I pity us all.

--
http://secdev.zoller.lu
Thierry Zoller

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: [Full-disclosure] Apple Safari ... DoS Vulnerability
    ... or indirect control of a another entity  (i.e attacker). ... If a chrome tab can be crashed arbritarely it is a DoS attack ... they are defined strictly by the impact they have; if a bug ... You define vulnerability like a boolean that is true when the impact is of ...
    (Full-Disclosure)
  • Re: [Full-disclosure] Apple Safari ... DoS Vulnerability
    ... I vulnerability could technically be ANYTHING of value to the attacker ... A bug that is usually ... In my book, maybe only in mine, a software bug is security relevant ...
    (Full-Disclosure)
  • Re: OpenVMS - When downtime is not an option
    ... elevated rights on the system, does sit matter if it is an application ... Clearly, that would be an OS bug - *if* it had been the case in this instance. ... "An attacker who successfully exploited this vulnerability could take complete control of the affected system. ...
    (comp.os.vms)
  • Re: OpenVMS - When downtime is not an option
    ... application bug to provide access to protected data and/or provides ... elevated rights on the system, does sit matter if it is an application ... "An attacker who successfully exploited this vulnerability could take ...
    (comp.os.vms)
  • [NT] Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (MS06-037)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution ... an attacker who successfully exploited this ... vulnerability could take complete control of the client workstation. ...
    (Securiteam)