RE: is predicatable file location a vuln? (was RE: Aol Instant Messenger/Microsoft Internet Explorer remote code execution)

["Drew Copley" <dcopley () eeye com>]

> -----Original Message-----
> From: Stuart Moore [mailto:smoore.bugtraq () securityglobal net] 
> Sent: Thursday, February 19, 2004 10:40 PM
> To: thor () pivx com; bugtraq () securityfocus com
> Subject: is predicatable file location a vuln? (was RE: Aol 
> Instant Messenger/Microsoft Internet Explorer remote code execution)

<snip>

> But this could get messy.  What happens when two issues 
> *must* be combined inorder for a 
> security impact to occur?
>
> My personal opinion differs from yours (and from 
> SecurityFocus's) regarding BID 8900 
> (Flash) and the nullsoft and icq BID issues.  I think they 
> are not vulnerabilities, but 
> instead are a few of many, many leverage points for porous MS 
> IE/OS security boundaries. 
> But maybe you could make an argument that some popular Win 
> apps make little or no use of 
> OS security features and so are at fault.  Or maybe you could 
> say that an application 
> written for an OS that is known to have security boundary 
> issues is negligent in using 
> predictable locations.  Uh oh, I guess I could really start 
> chasing my tail here ...

For simple, good QA practice... you want to have each bug written up
seperately. This may mean they are all moderate or low severity.
Security bugs, however, have a special classification under a good QA
system. A "low severity" security bug is much more important then a
normal "high severity" non-security bug.

As for security classification systems that are pure classifications...
They each can pick and choose as they want, of course. There is no
board. I would think a note added to these low or moderate issues with
proper credit would suffice. (Which is actually securityfocus style).



> Perhaps a good question for the Secure Coding list 
> (secure-coding.org)?
>
> Stuart