Full Disclosure mailing list archives
Re: Apple Safari ... DoS Vulnerability
From: Thierry Zoller <Thierry () Zoller lu>
Date: Fri, 27 Feb 2009 14:36:22 +0100
Hi, Michal with all due respect I'd like to beg to differ (and maybe be too nitpicky here). MZ> Vulnerabilities are a subset of software engineering bugs. I do not think this is the case (lack of the term software). How's this for being nitpicky ? ;) In my book, maybe only in mine, a software bug is security relevant (sorry for the lack of clarity - it's late over here) as soon as Integrity / Availabilty / Confidentiality are under arbritary direct or indirect control of a another entity (i.e attacker). Period, personaly this represents the ultima ratio After this - it's just a measure of _how much_. And the question of how much is a completely other one. Example If a chrome tab can be crashed arbritarely (remotely) it is a DoS attack but with ridiculy low impact to the end-user as it only crashes the tab it was subjected to, and not the whole browser or operation system. But the fact remains that this was the impact of a DoS condition, the tab crashes arbritarily. MZ> As the name MZ> implies, they are defined strictly by the impact they have; if a bug MZ> does not render the victim appreciably susceptible to anything that MZ> would be of value to external attackers, it is not a security problem. You define vulnerability like a boolean that is true when the impact is of value to the attacker. "would be of value to external attacker" - I cleary disgress, I don't think that a the nature/ of a bug (vulnerability) can be defined by the "value" it has for the attacker. What about damage to the victim ? What about lost revenue, agreement breaches etc pp. I'd not recommend to measure security from the perspective of the attacker, but rather the (potential) loss of the entity that tries to measure. MZ> Anyway... bottom line is, any attempts to formalize the criteria are MZ> bound to fail (and have mostly failed in the past), and common sense MZ> is the best tool we have. If we want to arrive at a state where risk can be managed, it needs to be measured. And if we aren't that far in 2009 I pity us all. -- http://secdev.zoller.lu Thierry Zoller _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Apple Safari ... DoS Vulnerability Michael Krymson (Feb 26)
- Re: Apple Safari ... DoS Vulnerability Thierry Zoller (Feb 26)
- Re: Apple Safari ... DoS Vulnerability Michal Zalewski (Feb 26)
- <Possible follow-ups>
- Re: Apple Safari ... DoS Vulnerability Thierry Zoller (Feb 27)
- Re: Apple Safari ... DoS Vulnerability J. Oquendo (Feb 27)
- Re: Apple Safari ... DoS Vulnerability Michal Zalewski (Feb 27)
- Re: Apple Safari ... DoS Vulnerability Jeremy Brown (Feb 27)
- Re: Apple Safari ... DoS Vulnerability Valdis . Kletnieks (Feb 27)
- Re: Apple Safari ... DoS Vulnerability Michal Zalewski (Feb 27)
- Re: Apple Safari ... DoS Vulnerability J. Oquendo (Feb 27)